Security Experts:

Connect with us

Hi, what are you looking for?



Flaws Allow Remote Hacking of Moxa MiiNePort Devices

Flaws affecting Moxa’s MiiNePort embedded serial device servers can be exploited remotely to gain control of vulnerable systems. The vendor has released firmware updates to address the security holes.

Flaws affecting Moxa’s MiiNePort embedded serial device servers can be exploited remotely to gain control of vulnerable systems. The vendor has released firmware updates to address the security holes.

ICS-CERT informed organizations last week that MiiNePort E1, E2 and E3 devices are affected by two vulnerabilities. One of them, tracked as CVE-2016-9344, can be exploited to brute-force an active session cookie and download a device’s configuration file.

The second weakness, tracked as CVE-2016-9346, refers to the fact that the configuration data is stored in a file without being encrypted.

SAVE THE DATE: ICS Cyber Security Conference | Singapore – April 25-27, 2017

Aditya K. Sood, the researcher who discovered the vulnerabilities, told SecurityWeek that the exposed configuration files contain sensitive information, including the administrator password, which could allow an attacker to gain unrestricted privileges and access to the device.

According to the researcher, CVE-2016-9344 allows an attacker to download the configuration file remotely from the Internet if the targeted user has an active session on the device.

“The Moxa device emits ‘Server: MoxaHttp/’ on TCP port 80 or any other web port. A simple web scanner with filtering of these headers can help detect systems on the web,” Sood explained.

While the researcher has not conducted any mass Internet scans, he did identify a few hundred externally-accessible devices using the Shodan search engine. Other vulnerable devices are likely not exposed to the Internet, requiring the attacker to have network access.

Moxa patched the vulnerabilities with the release of firmware versions 1.8 (MiiNePort E1), 1.4 (MiiNePort E2) and 1.1 (MiiNePort E3) nearly five months after learning of their existence.

Sood has released proof-of-concept (PoC) exploits and a video showing how the attack works:

Related: Moxa, Vanderbilt Surveillance Products Affected by Serious Flaws

Related: Eight Vulnerabilities Found in Moxa NPort Devices

Related: Flaws Found in Moxa Industrial Ethernet Products

Related: Flaws Found in Moxa Factory Automation Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.