As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories


AWK-3121 Series Industrial AP/Bridge/Client Vulnerabilities

  • Security Advisory ID: MPSA-191101
  • Version: V1.0
  • Release Date: Dec 02, 2019
  • Reference:
    • CVE-2018-10690, CVE-2018-10691, CVE-2018-10692, CVE-2018-10693, CVE-2018-10694, CVE-2018-10695, CVE-2018-10696, CVE-2018-10697, CVE-2018-10698, CVE-2018-10699, CVE-2018-10700, CVE-2018-10701, CVE-2018-10702, CVE-2018-10703

Multiple product vulnerabilities were identified in Moxa’s AWK-3121 Series. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
CVE-2018-10697, CVE-2018-10699
Multiple parameters are susceptible to command injection
2 Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Specified parameter is susceptible to command injection via shell metacharacters
3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Vulnerable to cross-site scripting attack to steal the cookie
4 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Specified parameter is susceptible to XSS payload injection
5 Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
CVE-2018-10693, CVE-2018-10695, CVE-2018-10701, and CVE-2018-10703
Multiple parameters are susceptible to buffer overflow
6 Credentials Management (CWE-255) CVE-2018-10690 The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server
7 Credentials Management (CWE-255) CVE-2018-10694 The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default
8 Credentials Management (CWE-255) CVE-2018-10698 The device enables an unencrypted TELNET service by default
9 Improper Access Control (CWE-284) CVE-2018-10691 Vulnerable to unauthorized systemlog.log download
10 Cross-Site Request Forgery (CSRF) (CWE-352) CVE-2018-10696 Web interface is not protected against CSRF attacks

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
AWK-3121 Series Firmware Version 1.14 or lower



Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
AWK-3121 Series This product has been phased out, please contact Moxa Technical Support for assistance.



We would like to express our appreciation to Samuel Huntley for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.

Revision History:

1.0 First Release Dec 02, 2018

Relevant Products

AWK-3121 Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!