CVE-2020-27185
📋 TL;DR
CVE-2020-27185 allows attackers to intercept authentication data, device configurations, and other sensitive information transmitted in cleartext via Moxa Service on NPort IA5000A serial device servers. This affects organizations using these industrial serial devices for remote management. Attackers can exploit this to gain unauthorized access to industrial control systems.
💻 Affected Systems
- Moxa NPort IA5000A series serial device servers
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative access to industrial serial devices, modify configurations, disrupt industrial operations, and potentially pivot to other critical systems.
Likely Case
Attackers capture authentication credentials and device configurations, enabling unauthorized access to serial devices and the industrial networks they connect to.
If Mitigated
With proper network segmentation and encryption, attackers cannot intercept cleartext traffic, limiting impact to isolated network segments.
🎯 Exploit Status
Exploitation requires network access to intercept cleartext traffic; no authentication needed to capture transmitted data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version with encryption enabled for Moxa Service
Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities
Restart Required: Yes
Instructions:
1. Download latest firmware from Moxa website. 2. Backup device configuration. 3. Upload firmware via web interface. 4. Apply firmware update. 5. Reboot device. 6. Verify encryption is enabled for Moxa Service.
🔧 Temporary Workarounds
Disable Moxa Service
allTurn off the vulnerable Moxa Service if not required for operations.
Access device web interface > Services > Disable Moxa Service
Implement network encryption
allUse VPN or TLS tunneling to encrypt all traffic to/from the device.
Configure site-to-site VPN or TLS proxy for device communications
🧯 If You Can't Patch
- Segment devices on isolated VLANs with strict firewall rules limiting access to trusted management stations only.
- Implement network monitoring to detect cleartext authentication/configuration traffic and unauthorized access attempts.
🔍 How to Verify
Check if Vulnerable:
Use network packet capture (Wireshark/tcpdump) on device network segment to check if Moxa Service traffic (default port 4800) is transmitted in cleartext.Check Version:
Access device web interface > System > Firmware Version or use SNMP queryVerify Fix Applied:
Verify firmware version is updated and perform packet capture to confirm Moxa Service traffic is now encrypted.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts from unexpected IPs
- Configuration changes from unauthorized users
Network Indicators:
- Cleartext authentication/configuration traffic on port 4800
- Unusual traffic patterns to/from serial devices
SIEM Query:
source_port:4800 AND protocol:TCP AND (content:"password" OR content:"config")🔗 References
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-021%2C
- https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2021/05/11/klcert-20-021%2C
- https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities
