Moxa Product Flaws Enable Privilege Escalation and Security Policy Bypass
CERT-FR published two advisories covering vulnerabilities in Moxa products, warning that the flaws could let attackers escalate privileges and undermine core security controls. One notice said successful exploitation could also affect data confidentiality and data integrity, raising concern for industrial and networked environments where Moxa equipment is commonly deployed.
A separate CERT-FR notice reported another Moxa vulnerability that could allow an attacker to bypass the security policy. The advisories did not provide further technical details in the referenced content, including affected models, CVE identifiers, or specific remediation steps, leaving organizations to monitor vendor and national CERT guidance closely for product impact and patch information.
Timeline
Apr 27, 2026
CERT-FR publishes Moxa multiple-vulnerability advisory
CERT-FR published a new advisory covering multiple vulnerabilities in Moxa products. The notice said the flaws could allow a remote attacker to cause denial of service, compromise data confidentiality, and bypass security policy controls.
Apr 20, 2026
CERT-FR publishes second Moxa vulnerability notice for security-policy bypass
CERT-FR published a separate advisory about another vulnerability in Moxa products that could allow an attacker to bypass the security policy. The available content did not include affected models, a CVE, or remediation details.
Apr 8, 2026
CERT-FR publishes Moxa privilege-escalation vulnerability notice
CERT-FR published an advisory about a vulnerability in Moxa products that could allow privilege escalation and affect data confidentiality and integrity.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Moxa DA Series BIOS/Intel Firmware Vulnerabilities Affecting Industrial PCs
**Moxa** published security advisories for its industrial computer **DA Series** indicating that multiple vulnerabilities in underlying **Intel firmware components** can impact affected devices, including conditions leading to **remote denial of service**, **privilege escalation**, and potential **confidentiality** impacts. Affected systems include **DA-682C** (BIOS versions prior to `v1.6`), **DA-820C** (prior to `v1.3`), and **DA-820E** (as listed by CERT-FR), with the Canadian Centre for Cyber Security also flagging DA Series BIOS exposure broadly and calling out DA-682C BIOS `v1.5` and earlier and DA-820C BIOS `v1.2` and earlier. The advisories map to Intel security issues including **Intel BIOS firmware DoS** (**INTEL-SA-00813**) and multiple vulnerabilities in **Intel CSME/AMT** (**INTEL-SA-00391**, **INTEL-SA-00709**). CERT-FR’s notice references related CVEs (including **CVE-2020-8747**, **CVE-2020-8749**, **CVE-2020-8752**, and **CVE-2022-28697**) and directs organizations to apply vendor-provided BIOS updates and mitigations from Moxa’s bulletins (`mpsa-256821`, `mpsa-256822`, `mpsa-256823`) to reduce exposure in operational technology environments.
1 months ago
Critical Hard-Coded JWT Secret Vulnerability in Moxa Network Security Appliances (CVE-2025-6950)
A critical security vulnerability, tracked as CVE-2025-6950, has been identified in Moxa network security appliances and routers, allowing unauthenticated attackers to gain administrative access via a hard-coded JWT secret. The flaw, which carries a CVSS score of 9.9, stems from the use of a hard-coded secret key for signing JSON Web Tokens (JWT) used in the authentication process. This insecure implementation enables attackers to forge valid JWTs without any prior authentication, effectively bypassing all access controls. As a result, an attacker can impersonate any user, including administrators, and obtain full control over the affected device. Exploitation of this vulnerability can lead to unauthorized access, data theft, and complete system compromise. The vulnerability is remotely exploitable, significantly increasing the risk to organizations deploying these devices in critical network environments. According to the available reports, there is no evidence that exploitation of this flaw leads to loss of confidentiality or integrity in systems beyond the affected device itself. The vulnerability was disclosed by Moxa’s Product Security Incident Response Team (PSIRT) and has been publicly documented in multiple security advisories. Security researchers emphasize the severity of the issue due to the ease of exploitation and the potential impact on industrial and enterprise networks. The affected products include a range of Moxa network security appliances and routers, though specific model versions have not been detailed in the public advisories. Organizations using these devices are urged to review their deployments and apply any available patches or mitigations as soon as possible. The vulnerability was published and last updated on October 17, 2025, highlighting the need for immediate attention from network administrators. The flaw is distinct from other recent privilege escalation vulnerabilities in Moxa products, as it allows for unauthenticated, rather than authenticated, administrative takeover. Security experts recommend monitoring for signs of unauthorized access and reviewing authentication logs for suspicious activity. The use of hard-coded credentials is a well-known security anti-pattern, and this incident underscores the importance of secure key management in authentication systems. Moxa has been notified and is expected to release further guidance and remediation steps. Until patches are available, organizations should consider network segmentation and access restrictions to limit exposure. The incident has raised concerns about the security of industrial control systems and the potential for similar flaws in other embedded network devices. The vulnerability’s critical rating and remote exploitability make it a high-priority issue for all organizations relying on Moxa network security appliances.
1 months ago
Moxa Industrial Ethernet Switches Affected by OpenSSH `ssh-agent` RCE (CVE-2023-38408)
Moxa issued guidance for a **critical remote code execution (RCE)** risk affecting multiple *industrial Ethernet switch* lines due to **CVE-2023-38408** in the OpenSSH `ssh-agent` PKCS#11 feature (OpenSSH versions prior to `9.3p2`). The flaw is described as an **unreliable/unquoted search path** issue (CWE-428) and is characterized as an incomplete fix related to **CVE-2016-10009**; exploitation can lead to full device compromise impacting confidentiality, integrity, and availability, with a reported **CVSS 3.1 score of 9.8**. Impacted products include Moxa **EDS** series switches (e.g., `EDS-G4000`, `EDS-4008/4009/4012/4014`, `EDS-G4008/G4012/G4014`) running **firmware `v4.1` or earlier**, and **RKS** series switches (e.g., `RKS-G4000`, `RKS-G4028`, `RKS-G4028-L3`) running **firmware `v5.0` or earlier**. Moxa’s remediation requires obtaining patches via **Moxa Technical Support** rather than public download; the cited target versions are **`4.1.58`** for EDS and **`5.0.4`** for RKS. Until updates can be applied, recommended mitigations include restricting network access (e.g., firewalls/ACLs) and segmenting OT networks (e.g., VLAN separation) to limit exposure.
1 months ago