CVE-2021-39279 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2021-39279?

CVE-2021-39279 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated attackers to execute arbitrary operating system commands on affected MOXA devices via the /forms/web_importTFTP endpoint. It affects multiple MOXA industrial networking products including WAC, OnCell, TAP, and WDR series devices. Attackers with valid credentials can gain full system control.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary operating system commands on affected MOXA devices via the /forms/web_importTFTP endpoint. It affects multiple MOXA industrial networking products including WAC, OnCell, TAP, and WDR series devices. Attackers with valid credentials can gain full system control.

💻 Affected Systems

Products:

WAC-2004
WAC-1001
WAC-1001-T
OnCell G3470A-LTE-EU
OnCell G3470A-LTE-EU-T
TAP-323-EU-CT-T
TAP-323-US-CT-T
TAP-323-JP-CT-T
WDR-3124A-EU
WDR-3124A-EU-T
WDR-3124A-US
WDR-3124A-US-T

Versions: WAC-2004 1.7, WAC-1001 2.1, OnCell G3470A-LTE-EU 1.7, TAP-323 series 1.3, WDR-3124A series 2.3

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All listed versions are vulnerable by default. Requires authenticated access to web interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to lateral movement within industrial networks, data exfiltration, or disruption of critical infrastructure operations.

🟠

Likely Case

Unauthorized access to device configuration, installation of backdoors, or use as pivot point for further network attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Devices exposed to internet are directly accessible to attackers with credentials.

🏢 Internal Only: MEDIUM - Requires authenticated access but internal attackers or compromised accounts could exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details published on Packet Storm. Requires valid credentials but command injection is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific fixed versions per product

Vendor Advisory: https://www.moxa.com

Restart Required: Yes

Instructions:

1. Check MOXA website for firmware updates. 2. Download appropriate firmware for your device model. 3. Backup configuration. 4. Upload firmware via web interface. 5. Reboot device.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to device web interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Credential Hardening

all

Change default credentials and implement strong password policies

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules
Implement network monitoring for unusual traffic patterns from these devices

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against affected versions list. Test web interface access to /forms/web_importTFTP endpoint.

Check Version:

Check via web interface under System > Firmware or via SSH: cat /etc/version

Verify Fix Applied:

Verify firmware version is updated beyond affected versions. Test that command injection no longer works.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /forms/web_importTFTP
Multiple failed login attempts followed by successful login
Commands with shell metacharacters in web logs

Network Indicators:

Unusual outbound connections from industrial devices
TFTP traffic from devices not expected to use it

SIEM Query:

source="web_logs" AND uri="/forms/web_importTFTP" AND (method="POST" OR method="GET")

📊 Metadata

CVE ID: CVE-2021-39279

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: September 7, 2021

Last Updated: November 21, 2024

🔗 References

https://www.moxa.com Vendor Advisory
https://packetstormsecurity.com/files/164014 Exploit,Third Party Advisory,VDB Entry
https://www.moxa.com Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39279, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Oncell G3470a Lte Eu Firmware by Moxa

Oncell G3470a Lte Eu T Firmware by Moxa

Tap 323 Eu Ct T Firmware by Moxa

Tap 323 Jp Ct T Firmware by Moxa

Tap 323 Us Ct T Firmware by Moxa

Wac 1001 Firmware by Moxa

Wac 1001 T Firmware by Moxa

Wac 2004 Firmware by Moxa

Wdr 3124a Eu Firmware by Moxa

Wdr 3124a Eu T Firmware by Moxa

Wdr 3124a Us Firmware by Moxa

Wdr 3124a Us T Firmware by Moxa