7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
75.6%
An authentication bypass vulnerability exists in the Web Application functionality of Moxa MXView Series 3.2.4. A specially-crafted HTTP request can lead to unauthorized access. An attacker can send an HTTP request to trigger this vulnerability.
Moxa MXView Series 3.2.4
MXView Series - <https://www.moxa.com/en/products/industrial-network-infrastructure/network-management-software/mxview-series>
10.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-798 - Use of Hard-coded Credentials
Moxa’s MXview network management software is designed for configuring, monitoring, and diagnosing networking devices in industrial networks. MXview provides an integrated management platform that can discover networking devices and SNMP/IP devices installed on subnets. All selected network components can be managed via a web browser from both local and remote sites—anytime and anywhere.
The default installation of MXview adds an undocumented service listening on port 4430 which accepts authentication using admin:moxa with no obvious or documented way to change or disable this access. Changing the admin user’s password via a different service, such as the web application on ports 80/443, does not change the password for the service on port 4430 (referred to as the “polling engine port” during installation). There does not appear to be a “change password” function for this service.
Logging in to this service with these credentials provides administrator access to the MXview application’s functionality.
2021-10-20 - Vendor disclosure
2022-02-11 - Public Release
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
75.6%