A critical security flaw in Moxa’s PT series industrial Ethernet switches enables attackers to bypass authentication mechanisms and compromise device integrity.
Tracked as CVE-2024-12297, this vulnerability (CVSS 4.0: 9.2) affects nine PT switch models and stems from weaknesses in the authorization logic implementation despite layered client-side and server-side verification protocols.
Researchers warn that exploitation could allow unauthorized access to sensitive industrial control systems (ICS) through brute-force credential guessing or MD5 hash collision attacks.
Overview of Authentication Bypass Vulnerability
The flaw, classified under CWE-656: Reliance on Security Through Obscurity, occurs when the switches’ authentication framework improperly validates session tokens and cryptographic hashes. Attackers can exploit this by either:
- Brute-forcing credentials through repeated authentication attempts
- Generating forged MD5 hashes to mimic valid sessions
Moxa’s security advisory confirms that successful exploitation grants full administrative access to device configurations, potentially enabling network segmentation breaches, traffic interception, or operational disruption in critical infrastructure environments like power grids and manufacturing plants.
The vulnerability’s network attack vector (AV:N) and high attack complexity (AC:L) make remotely exploitable attacks feasible without user interaction.
Mitigations
The impacted devices include:
- PT-508/510 Series (Firmware ≤3.8)
- PT-7528 Series (Firmware ≤5.0)
- PT-7728/7828 Series (Firmware ≤3.9/4.0)
- PT-G503/G510 Series (Firmware ≤5.3/6.5)
- PT-G7728/7828 Series (Firmware ≤6.5)
Moxa has released firmware patches for all affected models, available through direct technical support requests. Organizations should:
Immediately isolate vulnerable switches from internet-facing networks
- Apply patches using Moxa’s v3.8.2 (PT-508/510) or v6.5.8 (PT-G series) firmware updates
- Replace default credentials with complex passwords (20+ characters, multi-character set)
- Disable MD5-based authentication in favor of SHA-256 or AES-GCM algorithms
Artem Turyshev of Rosatom Automated Control Systems discovered the vulnerability during routine ICS audits, noting: “The flawed implementation of challenge-response authentication allows attackers to reverse-engineer session keys within 72 hours using GPU-accelerated clusters”.
The UAE Cyber Security Council has issued alerts urging critical infrastructure operators to prioritize patching, given Moxa switches’ prevalence in oil/gas and transportation systems.
While no active exploits have been reported, the vulnerability’s 9.2 CVSS score reflects grave risks to industrial environments.
Moxa recommends continuous traffic monitoring for anomalous authentication patterns and strict adherence to IEC 62443 network segmentation guidelines during remediation.
With industrial switches often operating for decades without updates, this discovery underscores the urgent need for proactive firmware management in OT environments.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
