CVE-2020-6985

Q: What is the severity of CVE-2020-6985?

CVE-2020-6985 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to gain unauthorized console access to Moxa industrial networking devices using a hard-coded service code. Affected devices include Moxa PT-7528 and PT-7828 series industrial Ethernet switches running vulnerable firmware versions. This affects organizations using these devices in industrial control systems and critical infrastructure.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to gain unauthorized console access to Moxa industrial networking devices using a hard-coded service code. Affected devices include Moxa PT-7528 and PT-7828 series industrial Ethernet switches running vulnerable firmware versions. This affects organizations using these devices in industrial control systems and critical infrastructure.

💻 Affected Systems

Products:

Moxa PT-7528 series
Moxa PT-7828 series

Versions: PT-7528: Version 4.0 or lower; PT-7828: Version 3.9 or lower

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with vulnerable firmware versions are affected regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial network devices leading to network disruption, data exfiltration, or manipulation of industrial processes in critical infrastructure.

🟠

Likely Case

Unauthorized access to device configuration, network traffic interception, or device takeover for lateral movement within industrial networks.

🟢

If Mitigated

Limited impact if devices are isolated in secure network segments with strict access controls and monitoring.

🌐 Internet-Facing: HIGH - Devices exposed to internet are trivially exploitable with hard-coded credentials.

🏢 Internal Only: HIGH - Even internally, attackers with network access can exploit this easily.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Hard-coded credentials make exploitation trivial once the service code is known or discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PT-7528: Version 4.1 or higher; PT-7828: Version 4.0 or higher

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/moxa-pt-7528-pt-7828-series-hard-coded-service-code-vulnerability

Restart Required: Yes

Instructions:

1. Download latest firmware from Moxa support site. 2. Backup current configuration. 3. Upload new firmware via web interface or CLI. 4. Reboot device. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Network segmentation

all

Isolate affected devices in separate VLANs with strict firewall rules limiting access to management interfaces.

Access control lists

all

Implement IP-based access restrictions to management interfaces using device ACLs.

configure terminal
access-list 10 permit host [TRUSTED_IP]
interface vlan 1
ip access-group 10 in

🧯 If You Can't Patch

Physically isolate devices from untrusted networks and implement strict network segmentation
Implement comprehensive monitoring and alerting for unauthorized access attempts to device management interfaces

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface (System > System Information) or CLI command 'show version'

Check Version:

show version

Verify Fix Applied:

Verify firmware version is PT-7528: 4.1+ or PT-7828: 4.0+ and test that hard-coded service code no longer works

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts using hard-coded service code
Successful console access from unexpected IP addresses

Network Indicators:

Telnet/SSH connections to device management interfaces from unauthorized sources
Unexpected configuration changes

SIEM Query:

source_ip NOT IN (trusted_management_ips) AND (destination_port:22 OR destination_port:23) AND destination_ip IN (affected_devices)

📊 Metadata

CVE ID: CVE-2020-6985

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: March 24, 2020

Last Updated: November 21, 2024

🔗 References

https://www.us-cert.gov/ics/advisories/icsa-20-056-03 Third Party Advisory,US Government Resource
https://www.us-cert.gov/ics/advisories/icsa-20-056-03 Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Pt 7528 12msc 12tx 4gsfp Hv Firmware by Moxa

Pt 7528 12msc 12tx 4gsfp Hv Hv Firmware by Moxa

Pt 7528 12msc 12tx 4gsfp Wv Firmware by Moxa

Pt 7528 12msc 12tx 4gsfp Wv Wv Firmware by Moxa

Pt 7528 12mst 12tx 4gsfp Hv Firmware by Moxa

Pt 7528 12mst 12tx 4gsfp Hv Hv Firmware by Moxa

Pt 7528 12mst 12tx 4gsfp Wv Firmware by Moxa

Pt 7528 12mst 12tx 4gsfp Wv Wv Firmware by Moxa

Pt 7528 16msc 8tx 4gsfp Hv Firmware by Moxa

Pt 7528 16msc 8tx 4gsfp Hv Hv Firmware by Moxa

Pt 7528 16msc 8tx 4gsfp Wv Firmware by Moxa

Pt 7528 16msc 8tx 4gsfp Wv Wv Firmware by Moxa

Pt 7528 16mst 8tx 4gsfp Hv Firmware by Moxa

Pt 7528 16mst 8tx 4gsfp Hv Hv Firmware by Moxa

Pt 7528 16mst 8tx 4gsfp Wv Firmware by Moxa

Pt 7528 16mst 8tx 4gsfp Wv Wv Firmware by Moxa

Pt 7528 20msc 4tx 4gsfp Hv Firmware by Moxa

Pt 7528 20msc 4tx 4gsfp Hv Hv Firmware by Moxa

Pt 7528 20msc 4tx 4gsfp Wv Firmware by Moxa

Pt 7528 20msc 4tx 4gsfp Wv Wv Firmware by Moxa

Pt 7528 20mst 4tx 4gsfp Hv Firmware by Moxa

Pt 7528 20mst 4tx 4gsfp Hv Hv Firmware by Moxa

Pt 7528 20mst 4tx 4gsfp Wv Firmware by Moxa

Pt 7528 20mst 4tx 4gsfp Wv Wv Firmware by Moxa

Pt 7528 24tx Hv Firmware by Moxa

Pt 7528 24tx Hv Hv Firmware by Moxa

Pt 7528 24tx Wv Firmware by Moxa

Pt 7528 24tx Wv Hv Firmware by Moxa

Pt 7528 24tx Wv Wv Firmware by Moxa

Pt 7528 8msc 16tx 4gsfp Hv Firmware by Moxa

Pt 7528 8msc 16tx 4gsfp Hv Hv Firmware by Moxa

Pt 7528 8msc 16tx 4gsfp Wv Firmware by Moxa

Pt 7528 8msc 16tx 4gsfp Wv Wv Firmware by Moxa

Pt 7528 8mst 16tx 4gsfp Hv Firmware by Moxa

Pt 7528 8mst 16tx 4gsfp Hv Hv Firmware by Moxa

Pt 7528 8mst 16tx 4gsfp Wv Firmware by Moxa

Pt 7528 8mst 16tx 4gsfp Wv Wv Firmware by Moxa

Pt 7528 8ssc 16tx 4gsfp Hv Hv Firmware by Moxa

Pt 7528 8ssc 16tx 4gsfp Wv Wv Firmware by Moxa

Pt 7828 F 24 24 Firmware by Moxa

Pt 7828 F 24 Firmware by Moxa

Pt 7828 F 24 Hv Firmware by Moxa

Pt 7828 F 48 48 Firmware by Moxa

Pt 7828 F 48 Firmware by Moxa

Pt 7828 F 48 Hv Firmware by Moxa

Pt 7828 F Hv Firmware by Moxa

Pt 7828 F Hv Hv Firmware by Moxa

Pt 7828 R 24 24 Firmware by Moxa

Pt 7828 R 24 Firmware by Moxa

Pt 7828 R 24 Hv Firmware by Moxa

Pt 7828 R 48 48 Firmware by Moxa

Pt 7828 R 48 Firmware by Moxa

Pt 7828 R 48 Hv Firmware by Moxa

Pt 7828 R Hv Firmware by Moxa

Pt 7828 R Hv Hv Firmware by Moxa