Full Report
Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device Management Software.
Analysis Summary
# Vulnerability: Hidden Token Access in Moxa ThingsPro IIoT Gateway
## CVE Details
- CVE ID: CVE-2018-18395
- CVSS Score: 0.0 (The provided CVSS string suggests **Critical** impact, however, the score listed is 0.0. Using the provided string for context: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which calculates to **9.8 CRITICAL**.)
- CWE: Not explicitly listed, but relates to Improper Access Control/Hardcoded Credentials based on the description.
## Affected Systems
- Products: Moxa ThingsPro IIoT Gateway and Device Management Software
- Versions: v. 2.1 (ThingsPro Gateway Edition)
- Configurations: Not specified beyond the product/version.
## Vulnerability Description
A remote attacker can exploit a flaw involving a "hidden API token" within the Moxa ThingsPro IIoT Gateway software. Successful exploitation allows the attacker to gain root privileges and execute arbitrary code on the affected system.
## Exploitation
- Status: Unknown
- Complexity: Low (Due to simple prerequisites: Network access, no privileges, no user interaction required based on the CVSS vector AV:N/AC:L/PR:N/UI:N)
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Vendor mitigation involves contacting the Moxa sales representative to obtain the new firmware release for **ThingsPro Gateway Edition 2.3**.
### Workarounds
- No specific workarounds were listed in the advisory excerpts.
## Detection
- No specific Indicators of Compromise (IOCs) were provided.
- Detection would involve monitoring network traffic for unauthorized access attempts to API endpoints or unexpected privilege escalation activity on the gateway.
## References
- Vendor Advisory: Moxa (Patch released October 2018)
- Advisory Link (Defanged): ics-cert.kaspersky.com/advisories/2018/10/18/klcert-18-023-moxa-thingspro-iiot-gateway-and-device-management-software-solutions-hidden-token-access/