Critical security vulnerabilities in Moxa’s MXview web-based network management system open the door to an unauthenticated remote code execution (RCE) as SYSTEM on any unpatched MXview server, researchers warned this week.
The five bugs, affecting versions 3.x to 3.2.2, score a collective 10 out of 10 on the CVSS vulnerability-severity scale, according to Claroty’s Team82 research team. Three of them can be chained together to achieve the aforementioned RCE (CVE-2021-38452, CVE-2021-38460 and CVE-2021-38458), but the others can be used to lift passwords and other sensitive information (CVE-2021-38456, CVE-2021-38454). Moxa’s MXview network management software is designed for configuring and monitoring networking devices in industrial control systems (ICS) and operational technology (OT) networks. It has multiple components, Team82 noted in its Thursday advisory, including an MQTT message broker named Mosquitto that transfers messages to and from different components in the MXview environment.