Product support

Security Advisories

SUMMARY

MXview Series Network Management Software Vulnerabilities

  • Version: V1.0
  • Release Date: Sep 17, 2021
  • Reference:
    • N/A

Multiple product vulnerabilities were identified in Moxa’s MXview Series. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 Misconfigured service allows remote connections to internal communication channels. Allows unwanted users to interact and use MQTT remotely.
2 Use of hard-coded, default passwords (CWE-259). If hard-coded passwords are used, malicious users can gain access through the account that uses default passwords.
3 Remote code execution through improper neutralization of special elements. Attackers could execute unauthorized commands, which could then be used to disable the software, or read and modify data for which the attacker should not be able to access directly.
4 RCE through improper limitation of a pathname to a restricted directory
('Path Traversal') (CWE-22).
An attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
5 An unauthenticated user can read files through improper limitation of a pathname to a restricted directory ('Path Traversal') (CWE-22). An attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
6 An unauthenticated user can read files through improper limitation of a pathname to a restricted directory ('Path Traversal') (CWE-22). An attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
7 Files can be read through improper limitation of a pathname to a restricted directory ('Path Traversal') (CWE-22). An attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
8 Files can be edited through improper limitation of a pathname to a restricted directory ('Path Traversal') (CWE-22). An attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
9 Password leakage through unprotected transport of credentials (CWE-523). An attacker may be able to gain access to privileges or assume the identity of another user.

 

AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
MXview Series Software Package Version 3.x to 3.2.2.

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
MXview Series
  1. Please upgrade to software package version 3.2.4 or higher. (Download Link)
  2. To keep the environment secure, please change your Windows password regularly and use a firewall.
  3. If users need to use the multiple-site function, we suggest using the firewall to block Port 8883. If users do not have this requirement, we suggest using the firewall to assign the Accessible IP of MXview at the client site.

Acknowledgment:

We would like to express our appreciation to Noam Moshe from Claroty for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Sep 17, 2021

Relevant Products

MXview Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
Feedback