Taiwanese corporate Moxa has launched a safety replace to deal with a vital safety flaw impacting its PT switches that might allow an attacker to avoid authentication promises.
The vulnerability, tracked as CVE-2024-12297, has been assigned a CVSS v4 ranking of 9.2 out of a most of 10.0.
“More than one Moxa PT switches are liable to an authentication bypass on account of flaws of their authorization mechanism,” the corporate stated in an advisory launched final week.
“In spite of client-side and back-end server verification, attackers can exploit weaknesses in its implementation. This vulnerability might allow brute-force assaults to bet legitimate credentials or MD5 collision assaults to forge authentication hashes, probably compromising the protection of the tool.”
A success exploitation of the lack, in different phrases, may result in an authentication bypass and make allowance an attacker to realize unauthorized get entry to to delicate configurations or disrupt services and products.
The flaw affects the next variations –
- PT-508 Sequence (Firmware model 3.8 and previous)
- PT-510 Sequence (Firmware model 3.8 and previous)
- PT-7528 Sequence (Firmware model 5.0 and previous)
- PT-7728 Sequence (Firmware model 3.9 and previous)
- PT-7828 Sequence (Firmware model 4.0 and previous)
- PT-G503 Sequence (Firmware model 5.3 and previous)
- PT-G510 Sequence (Firmware model 6.5 and previous)
- PT-G7728 Sequence (Firmware model 6.5 and previous), and
- PT-G7828 Sequence (Firmware model 6.5 and previous)
Patches for the vulnerability can also be bought via contacting the Moxa Technical Fortify workforce. The corporate credited Artem Turyshev from Moscow-based Rosatom Automatic Keep an eye on Programs (RASU) for reporting the vulnerability.
Out of doors practice the most recent fixes, firms the use of the affected merchandise are advisable to limit community get entry to the use of firewalls or get entry to keep an eye on lists (ACLs), implement community segmentation, reduce direct publicity to the web, enforce multi-factor authentication (MFA) for getting access to vital techniques, allow match logging, and observe community visitors and tool conduct for odd actions.
It is value noting that Moxa resolved the similar vulnerability within the Ethernet transfer EDS-508A Sequence, operating firmware model 3.11 and previous, again in mid-January 2025.
The improvement comes somewhat over two months after Moxa rolled out patches for 2 safety vulnerabilities impacting its mobile routers, protected routers, and community safety home equipment (CVE-2024-9138 and CVE-2024-9140) that might permit privilege escalation and command execution.
Closing month, it additionally addressed more than one high-severity flaws affecting more than a few switches (CVE-2024-7695, CVE-2024-9404, and CVE-2024-9137) that might lead to a denial-of-service (DoS) assault, or command execution.