CVE-2020-6981 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2020-6981?

CVE-2020-6981 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authentication on Moxa EDS-G516E Series industrial switches running firmware version 5.2 or lower. Attackers can gain unauthorized access to the device's management interface without valid credentials. This affects industrial control systems and operational technology networks using these specific Moxa switches.

📋 TL;DR

This vulnerability allows attackers to bypass authentication on Moxa EDS-G516E Series industrial switches running firmware version 5.2 or lower. Attackers can gain unauthorized access to the device's management interface without valid credentials. This affects industrial control systems and operational technology networks using these specific Moxa switches.

💻 Affected Systems

Products:

Moxa EDS-G516E Series industrial Ethernet switches

Versions: Firmware version 5.2 and lower

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations of affected firmware versions are vulnerable. These are industrial switches commonly used in critical infrastructure and manufacturing environments.

📦 What is this software?

Eds 510e Firmware by Moxa

View all CVEs affecting Eds 510e Firmware →

Eds G516e Firmware by Moxa

View all CVEs affecting Eds G516e Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial network switches allowing attackers to reconfigure network traffic, disrupt operations, or pivot to other critical systems in industrial environments.

🟠

Likely Case

Unauthorized access to switch management interface enabling network reconnaissance, configuration changes, or denial of service attacks against connected industrial equipment.

🟢

If Mitigated

Limited impact if switches are isolated in protected networks with strict access controls and monitoring, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH - If switches are exposed to the internet, attackers can easily exploit this without authentication to gain full control.

🏢 Internal Only: HIGH - Even internally, attackers with network access can exploit this vulnerability to compromise critical infrastructure switches.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Authentication bypass vulnerabilities are typically easy to exploit. While no public PoC is documented, the vulnerability description suggests trivial exploitation requiring only network access to the device.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 5.3 or higher

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/moxa-eds-g516e-series-multiple-web-server-vulnerabilities

Restart Required: Yes

Instructions:

1. Download firmware version 5.3 or higher from Moxa website. 2. Backup current configuration. 3. Upload new firmware via web interface or CLI. 4. Reboot switch. 5. Restore configuration if needed. 6. Verify firmware version is updated.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected switches in separate VLANs with strict firewall rules limiting access to management interfaces.

Access Control Lists

all

Implement IP-based access control to restrict management interface access to authorized administrative networks only.

access-list 10 permit 192.168.1.0 0.0.0.255
line vty 0 4
access-class 10 in

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected switches from untrusted networks
Deploy intrusion detection systems to monitor for unauthorized access attempts to switch management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > System Information) or CLI command 'show version'. If version is 5.2 or lower, device is vulnerable.

Check Version:

show version

Verify Fix Applied:

Verify firmware version is 5.3 or higher. Test authentication by attempting to access management interface without credentials - should be denied.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful access
Unauthorized IP addresses accessing management interface
Configuration changes from unexpected sources

Network Indicators:

HTTP/HTTPS traffic to switch management ports from unauthorized sources
Unusual configuration commands sent to switch

SIEM Query:

source_ip NOT IN (authorized_admin_ips) AND dest_port IN (80,443,23) AND dest_ip IN (switch_ips)

📊 Metadata

CVE ID: CVE-2020-6981

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: March 24, 2020

Last Updated: November 21, 2024

🔗 References

https://www.us-cert.gov/ics/advisories/icsa-20-056-04 Third Party Advisory,US Government Resource
https://www.us-cert.gov/ics/advisories/icsa-20-056-04 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6981, you might also want to check these: