CVE-2018-11422

Name of the Vulnerable Software and Affected Versions Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior

Description The issue is related to improper access control in the web interface of the Moxa OnCell G3100-HSPA Series, which can be exploited by a remote attacker to execute arbitrary code. The device uses a proprietary configuration protocol that lacks confidentiality, integrity, and authenticity security controls, sending all information in plain text. This allows the information to be intercepted and modified. Any commands, including device reboot, configuration download or upload, or firmware upgrade, are accepted and executed by the device without authentication.

Recommendations For Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior, consider restricting access to the device's configuration protocol to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of the device's web interface and avoid sending sensitive information over the proprietary configuration protocol. At the moment, there is no information about a newer version that contains a fix for this vulnerability.