CVE-2017-7913 – This vulnerability allows attackers to read pas... (How to Fix)

Q: What is the severity of CVE-2017-7913?

CVE-2017-7913 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to read passwords stored in plaintext within configuration files of affected Moxa OnCell cellular gateway devices. Anyone with access to the device's file system can extract credentials, potentially compromising the entire device and connected systems. Affected users include organizations using these specific Moxa cellular gateways for industrial control systems.

📋 TL;DR

This vulnerability allows attackers to read passwords stored in plaintext within configuration files of affected Moxa OnCell cellular gateway devices. Anyone with access to the device's file system can extract credentials, potentially compromising the entire device and connected systems. Affected users include organizations using these specific Moxa cellular gateways for industrial control systems.

💻 Affected Systems

Products:

Moxa OnCell G3110-HSPA
Moxa OnCell G3110-HSDPA
Moxa OnCell G3150-HSDPA
Moxa OnCell 5104-HSDPA
Moxa OnCell 5104-HSPA
Moxa OnCell 5004-HSPA

Versions: G3110-HSPA: Version 1.3 build 15082117 and earlier; G3110-HSDPA: Version 1.2 Build 09123015 and earlier; G3150-HSDPA: Version 1.4 Build 11051315 and earlier; Other models: All versions

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable as the plaintext password storage is inherent to the application design.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the device, pivot to connected industrial control systems, and cause physical damage or operational disruption.

🟠

Likely Case

Attackers extract credentials to gain unauthorized access to the device, potentially modifying configurations or using it as a foothold into the network.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the compromised device only.

🌐 Internet-Facing: HIGH - These devices are often deployed in remote locations with internet connectivity, making them accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers with network access could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires file system access, which typically requires some level of authentication, but the vulnerability itself is simple to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Moxa for updated firmware versions

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3110-g3150-5104-5004-plaintext-password-vulnerability

Restart Required: Yes

Instructions:

1. Contact Moxa support for updated firmware. 2. Backup current configuration. 3. Apply firmware update via web interface or console. 4. Restart device. 5. Verify passwords are now encrypted in configuration files.

🔧 Temporary Workarounds

Restrict Configuration File Access

all

Limit access to device configuration files through proper file permissions and access controls.

Network Segmentation

all

Isolate affected devices in separate network segments with strict firewall rules.

🧯 If You Can't Patch

Implement strict network access controls to limit who can connect to these devices
Regularly rotate passwords and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Examine configuration files on the device for plaintext password entries. Check web interface or console for firmware version.

Check Version:

Check via web interface under System > Firmware Version or via console using 'show version' command

Verify Fix Applied:

After patching, verify that configuration files no longer contain plaintext passwords and that passwords appear encrypted or hashed.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to configuration files
Multiple failed login attempts followed by successful login

Network Indicators:

Unusual network traffic from device
Connections to unexpected external IP addresses

SIEM Query:

source="moxa-oncell" AND (event="config_access" OR event="failed_login")

📊 Metadata

CVE ID: CVE-2017-7913

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-256

Published: May 29, 2017

Last Updated: April 20, 2025

🔗 References

https://ics-cert.us-cert.gov/advisories/ICSA-17-143-01 Third Party Advisory,US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-17-143-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-7913, you might also want to check these: