Gabriel Gonzalez

**Name of the Vulnerable Software and Affected Versions** Moog EXO Series versions EXVF5C-2 and EXVP7C2-3 **Description** A security issue was found in the Moog EXO Series units that support the ONVIF interoperability protocol. The authentication check for certain ONVIF operations can be bypassed, allowing an attacker to execute privileged operations without authentication. This could enable the creation of a new Administrator user. **Recommendations** For Moog EXO Series versions EXVF5C-2 and EXVP7C2-3, as a temporary workaround, consider disabling the ONVIF protocol until a patch is available. Restrict access to privileged operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Moog EXO Series versions EXVF5C-2 and EXVP7C2-3 **Description** The issue concerns several XML External Entity (XXE) vulnerabilities. These vulnerabilities allow remote unauthenticated users to read arbitrary files by using a crafted Document Type Definition (DTD) in an XML request. **Recommendations** For Moog EXO Series versions EXVF5C-2 and EXVP7C2-3, consider disabling the XML parsing functionality until a patch is available. Restrict access to the XML request handling module to minimize the risk of exploitation. Avoid using crafted DTDs in XML requests until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Moog EXO Series EXVF5C-2 and EXVP7C2-3 units (affected versions not specified) **Description** The issue concerns a hardcoded credentials vulnerability, which could lead to confidentiality issues when using the FTP, Telnet, or SSH protocols. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moog EXO Series versions (affected versions not specified) **Description** The administration console of the Moog EXO Series units has a feature that allows spawning a process repeatedly at a certain time interval as 'root'. This feature can be exploited by using special shell variables, such as `${IFS}`, to execute arbitrary commands as 'root' on the units. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.