Solutions
The table below lists all affected product series. Users should follow the solutions below to remediate affected systems.
|
PRODUCT SERIES
|
AFFECTED VERSIONS
|
SOLUTIONS
|
|
UC Series
-
UC-1200A Series
-
UC-2200A Series
-
UC-3400A Series
-
UC-4400A Series
-
UC-8600A Series
-
UC-8200 Series
|
Moxa Industrial Linux (MIL)
-
MIL3 v1.4 and earlier, and MIL4 v1.0
-
MIL3 v1.4 and earlier, and MIL4 v1.0
-
MIL3 v1.2 and earlier, and MIL4 v1.0
-
MIL3 v1.3 and earlier, and MIL4 v1.0
-
MIL4 v1.1 and earlier
-
MIL3 v1.5 and earlier
|
Please refer to Update Instructions - For MIL-based Products as the primary remediation step
For additional support, please contact Moxa Technical Support
|
|
V Series
-
V1200 Series
-
V3200 Series
-
V3400 Series
|
Moxa Industrial Linux (MIL)
-
MIL3 v1.2.0 and earlier
-
MIL3 v1.1 and earlier
-
MIL3 v1.1 and earlier
|
|
VM Series
|
Moxa Industrial Linux (MIL)
|
|
IoThinx Series
|
Moxa Industrial Linux (MIL)
|
|
AIG Series
-
AIG-302 Series
-
AIG-502 Series
|
Firmware
-
v1.4.0 and earlier
-
v1.0.0
|
|
BXP Series
-
BXP-A100 Series
-
BXP-A101 Series
-
BXP-C100 Series
|
Debian ordered via CTOS
-
Debian 11 V1.0
-
Debian 12 V1.0
|
Please refer to Update Instructions - For Debian-based Products as the primary remediation step
For upstream security information, please refer to Debian Security Advisories.
|
|
DRP Series
-
DRP-A100 Series
-
DRP-C100 Series
|
Debian ordered via CTOS
|
|
RKP Series
-
RKP-A110 Series
-
RKP-C110 Series
-
RKP-C220 Series
|
Debian ordered via CTOS
-
Debian 11 V1.0
-
Debian 12 V1.0
|
|
MXsecurity Series
|
Software v2.3.1 and earlier
|
Software v2.3.3 or later
|
Update Instructions
Affected products run either Moxa Industrial Linux (MIL) or Debian Linux. Each OS type requires a different update procedure. Before proceeding, confirm your device's OS type from the Affected Products table, then follow the corresponding section below.
The following packages are available to remediate affected systems.
|
PRODUCT SERIES
|
PACKAGE NAME with VERSION
|
|
UC-1200A Series
|
MIL3.4.1 and before
MIL4.0.0
|
|
UC-2200A Series
|
MIL3.4.1 and before
MIL4.0.0
|
|
UC-3400A Series
|
MIL3.4.1 and before
MIL4.0.0
|
|
UC-4400A Series
|
MIL3.4.1 and before
MIL4.0.0
|
|
UC-8200 Series
|
MIL3.4.1 and before
|
|
UC-8600 Series
|
MIL4 v1.0
|
|
V1200 Series
|
MIL3
|
|
V3200 Series
|
MIL3
|
|
V3400 Series
|
MIL3
|
| VM-1220 |
MIL3
- linux-image-5.10.0-cip-rt-moxa-am64x=5.10.214-cip46-rt19-moxa12-1+deb11u2
|
| ioThinx 4533 |
MIL3
- linux-image-5.10.0-cip-rt-moxa-imx7d-rt=5.10.194-cip39-rt16-moxa27-1+deb11
|
|
AIG-302 Series
|
MIL3
- linux-image-5.10.0-cip-rt-moxa-imx7d=5.10.234-cip57-rt25-moxa9-1+deb11u7
|
|
AIG-502 Series
|
MIL3
- linux-image-5.10.0-amd64-moxa-kabylake=5.10.251-5-moxa+deb11
- moxa-it87-wdt-driver-amd64=5.2+1.5.0-1+deb11u2
- moxa-it87-serial-driver-amd64=1.4.1+u2+deb11u2
- moxa-it87-gpio-driver-amd64=5.2+1.5.0-1+deb11u2
- insyde-phy-alloc-driver-amd64=5.10+8+deb11u3
- moxa-mxu11x0-driver-amd64=5.10+5.1+deb11u3
- moxa-mxuport-driver-amd64=5.10+5.1+deb11u3
- moxa-intel-spi-driver-amd64=1.1.0+deb11u2
|
For MIL-based Products
MIL-based products receive security updates through the Moxa apt server.
Select the procedure that matches your network environment:
- Online: your device has direct access to the Moxa apt server.
- Offline: your device operates in an air-gapped or restricted network.
Online update procedures
sudo apt update
sudo apt install <package_name with version>
Offline update procedures
This procedure is intended for systems operating in air-gapped environments.
Prerequisites
Offline Phase 1 - Download on Staging Machine
sudo apt update
mkdir /tmp/cve-update && cd /tmp/cve-update
apt download <package_name with version>
Offline Phase 2 - Install on Target System
cd /path/to/deb-files/
sudo dpkg -i *.deb
Post-Update Verification
-
After updating the security patches, the system must be rebooted. After the system has rebooted, perform a version check to ensure the update was successful.
-
Run the following command for each package listed under your product series in the Packages List above:
dpkg-query -W <package_name>
Post-Update Cleanup
If you previously applied the interim mitigations, check Mitigation Removal to remove them after the update has been successfully applied and verified.
For Debian-based Products
The BXP, DRP, and RKP Series run Debian Linux. Security updates are applied through the Debian security repository and the Moxa x86 SDK.
Select the procedure that matches your network environment:
- Online: your device has direct access to the Debian security repository.
- Offline: your device operates in an air-gapped or restricted network.
Prerequisites
Download the x86 SDK from the Resources tab on the product page on the Moxa website.
Update Procedures
-
Step 2 - Update the package index and upgrade the kernel
-
Online
-
sudo apt-get update
sudo apt-get install --only-upgrade linux-image-amd64 -y
- Offline
- Download on staging machine
-
sudo apt-get update
mkdir /tmp/cve-update && cd /tmp/cve-update
sudo apt-get download linux-image-amd64
- Transfer the downloaded
.deb files to the target system via an authorized secure medium. Then on the target system, back up critical configuration files and install:
-
cd /path/to/deb-files/
sudo dpkg -i *.deb
- Note: If dependency errors occur, ensure all required dependency packages are included.
-
Step 3 - Reinstall the x86 SDK
-
Step 4 - Reboot the system
- Step 5 - Cleanup
- If you previously applied the interim mitigations, check Mitigation Removal to remove them after the update has been successfully applied and verified.
Mitigations
Interim Mitigation — Module Blacklisting
When updates cannot be deployed immediately, the following mitigation can be applied. This procedure disables the vulnerable kernel modules and effectively closes the known attack vectors for CVE-2026-31431, CVE-2026-43284, and CVE-2026-43500 on affected systems.
IMPORTANT: Before applying this mitigation, read the Functional Impact Analysis section below. Disabling IPsec modules (esp4/esp6) will interrupt all VPN tunnels. Do not apply this mitigation blindly on systems that depend on IPsec for network connectivity. Additionally, Step 3 (flushing the page cache) may cause a brief I/O performance degradation as cached data must be reloaded from the disk. It is recommended to execute this step during a scheduled maintenance window on I/O-intensive systems.
Step 1: Mitigate CVE-2026-31431 (algif_aead module)
For AIG-302 and UC-8200 Series:
algif_aead is compiled as a built-in kernel module in this firmware and cannot be removed at runtime via modprobe or blacklisting. The only mitigation is to block its initialization at boot using the initcall_blacklist kernel parameter.
⚠️ These commands modify bootloader environment variables directly. A mistake may render the device unbootable and require manual recovery via serial console. Physical access is required before proceeding.
$ sudo fw_setenv bootargs 'console=ttymxc0,115200n8 root=/dev/mmcblk2p2 rootfstype=ext4 rw rootwait fsck.mode=force fsck.repair=yes noinitrd console=ttymxc0,115200 pci=nomsi initcall_blacklist=algif_aead_init'
$ sudo fw_setenv bootcmd 'mmc rescan;load mmc 2:1 ${loadaddr} working/imx7d-moxa.itb;bootm ${loadaddr}'
$ sudo fw_setenv boot_process 2
⚠️ Before rebooting, verify the changes
$ sudo fw_printenv bootargs
$ sudo fw_printenv bootcmd
$ sudo fw_printenv boot_process
Confirm the output matches the values set above, then reboot the device for the changes to take effect.
Once the firmware update with the official fix is applied, revert the boot configuration:
$ sudo fw_setenv boot_process 0
$ sudo fw_setenv bootargs
$ sudo fw_setenv bootcmd
For All Other Products:
Create blacklist configuration, unload module, and verify:
$ echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/moxa-cve-2026-algif.conf
$ sudo rmmod algif_aead 2>/dev/null || true
$ lsmod | grep algif_aead
No output indicates module is not loaded.
Step 2: Mitigate CVE-2026-43284 (esp4/esp6 modules - IPsec)
Determining If IPsec Is in Use
Check if your system has the esp4/esp6 modules loaded:
$ lsmod | grep -E 'esp4|esp6'
If no output is returned, IPsec is not running and you can safely use the blocklist method. If the modules appear in the output, verify whether IPsec is configured by checking:
$ ip xfrm state
$ ip xfrm policy
If either command shows active entries, IPsec is in use. Choose the appropriate method below based on your IPsec requirements.
Blocklist Method
Warning: This method disables IPsec. Only use if your system does not require IPsec connectivity.
$ echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/moxa-cve-2026-ipsec.conf
$ echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/moxa-cve-2026-ipsec.conf
$ sudo rmmod esp4 esp6 2>/dev/null; true
User Namespace Restriction Method
This approach maintains IPsec functionality by restricting unprivileged user namespaces instead of disabling the esp4/esp6 modules.
Warning: Rootless containers, browser sandboxing features, and Flatpak will be affected. Root containers and regular applications continue to function normally.
$ echo "user.max_user_namespaces=0" | sudo tee /etc/sysctl.d/moxa-dirtyfrag.conf
$ sudo sysctl --system
Step 3: Mitigate CVE-2026-43500 (rxrpc module)
The rxrpc module provides RxRPC protocol support for AFS (Andrew File System). Most industrial deployments do not use AFS. Disable the module using:
$ echo "install rxrpc /bin/false" | sudo tee /etc/modprobe.d/moxa-cve-2026-rxrpc.conf
$ sudo rmmod rxrpc 2>/dev/null; true
$ lsmod | grep rxrpc
No output indicates the module is successfully disabled.
Step 4: Verification
Confirm that all targeted modules are no longer loaded:
$ lsmod | grep -E 'algif_aead|esp4|esp6|rxrpc'
No output confirms successful mitigation. If any modules remain loaded, they are in active use by running connections. Schedule a system reboot during your next maintenance window to complete the mitigation.
Step 5: Drop Page Cache (Optional)
⚠️ Note: This causes a temporary increase in disk I/O as the cache repopulates. On file servers or database servers, expect a brief period of reduced read performance.
$ sync
$ echo 3 | sudo tee /proc/sys/vm/drop_caches
Functional Impact Analysis — Read Before Applying
-
algif_aead: Minimal impact. Affects only custom applications using the Linux userspace crypto socket API. Standard industrial applications are not affected.
-
esp4 / esp6 (IPsec):
-
Blocklist Method: High impact. Disabling these modules will immediately terminate all IPsec/VPN tunnels and prevent them from restarting. Do not use this method on devices where IPsec is required for network communications or OT/IT segregation.
-
User Namespace Restriction Method: Preserves IPsec functionality but affects rootless containers (Docker/Podman), sandboxed browsers, and Flatpak applications. Privileged containers and standard applications are not affected.
-
rxrpc: Minimal expected impact. RxRPC is a specialized Linux networking protocol and is not used by standard Moxa industrial applications or typical default deployments. Disabling the rxrpc module is not expected to affect normal device operation. Customers running customized applications, third-party packages, or non-standard integrations should confirm that RxRPC is not required in their environment before applying this mitigation.
General Security Recommendations
To safeguard devices and networks, we recommend implementing the following recommendations to mitigate potential risks:
-
Restrict network access.
-
Use firewalls or access control lists (ACLs) to limit communication to trusted IP addresses and networks.
-
Segregate operational networks from other networks (e.g., enterprise networks) using VLANs or physical separation.
-
Minimize exposure.
-
Enhance device authentication and access control.
-
Regularly update firmware and software.
-
Secure remote access.
-
Use encrypted communication protocols (e.g., VPN, SSH) for remote access.
-
Restrict remote access to authorized personnel only and enforce strong authentication mechanisms.
-
Implement anomaly detection techniques.
-
Implement logging and monitoring.
-
Conduct regular security assessments.
Products Confirmed Not Affected
Only products listed in the Affected Products and Solutions section of this advisory are confirmed to be affected by these vulnerabilities. The products confirmed not affected are listed below.
-
UC Series: UC-2100 Series, UC-3100 Series, UC-5100 Series, UC-8100 Series, UC-8100A-ME-T Series, UC-8100-ME-T Series, UC-8200 Series (MIL1), UC-8410A Series, UC-8540 Series
-
V Series: V2201 Series, V2403C Series, V2406C Series
-
AIG Series: AIG-101 Series, AIG-301 Series, AIG-501 Series
-
All other Inductrial Computing products such as DA Series, MC Series, and Panel PCs, etc.
Revision History
|
VERSION
|
DESCRIPTION
|
RELEASE DATE
|
|
1.0
|
First release
|
May 26, 2026
|
|
1.1
|
Add Solutions for MXsecurity Series
|
June 18, 2026
|
|
1.2
|
Solutions section: Update description in Solutions section. Update Solutions for all of the affected products.
Update Instructions section: Add Update Instructions section.
Mitigation section: Update description in Interim Mitigation — Module Blacklisting section. Add Mitigation Removal section.
Solutions for CTOS section: Remove Solutions for CTOS section.
|
June 26, 2026
|