7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
72.7%
Successful exploitation of these vulnerabilities may allow an attacker to create or overwrite critical files to execute code, gain access to the program, obtain credentials, disable the software, read and modify otherwise inaccessible data, allow remote connections to internal communication channels, or interact and use MQTT remotely.
The following versions of MXview, a network management software, are affected:
A path traversal vulnerability in the application may allow an attacker to create or overwrite critical files used to execute code, such as programs or libraries.
CVE-2021-38452 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
The affected product uses hard-coded passwords, which may allow an attacker to gain access through accounts using default passwords.
CVE-2021-38456 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The affected product is vulnerable to password leakage, which may allow an attacker to obtain credentials through unprotected transport.
CVE-2021-38460 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The affected product is vulnerable to improper neutralization of special elements, which may allow an attacker to remotely execute unauthorized commands. This could allow an attacker to disable software or read and modify otherwise inaccessible data.
CVE-2021-38458 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The affected product has a misconfigured service that allows remote connections to internal communication channels, which may allow an attacker to interact and use MQTT remotely.
CVE-2021-38454 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
Noam Moshe from Claroty reported these vulnerabilities to Moxa.
Moxa recommends users do the following:
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38452
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38454
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38456
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38458
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38460
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/259.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/523.html
cwe.mitre.org/data/definitions/74.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Moxa%20MXview%20Network%20Management%20Software+https://www.cisa.gov/news-events/ics-advisories/icsa-21-278-03
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics
us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01
us-cert.cisa.gov/ics/recommended-practices
us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-21-278-03&title=Moxa%20MXview%20Network%20Management%20Software
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-21-278-03
www.moxa.com/en/support/product-support/software-and-documentation/search?psid=53389
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-21-278-03
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Moxa%20MXview%20Network%20Management%20Software&body=www.cisa.gov/news-events/ics-advisories/icsa-21-278-03
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.004 Low
EPSS
Percentile
72.7%