CVE-2021-46560 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-46560?

CVE-2021-46560 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary commands on Moxa TN-5900 secure routers through command injection in the firmware. Attackers could potentially take full control of affected devices, leading to device damage or network compromise. Organizations using Moxa TN-5900 routers through version 3.1 are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on Moxa TN-5900 secure routers through command injection in the firmware. Attackers could potentially take full control of affected devices, leading to device damage or network compromise. Organizations using Moxa TN-5900 routers through version 3.1 are affected.

💻 Affected Systems

Products:

Moxa TN-5900 Secure Routers

Versions: Through version 3.1

Operating Systems: Moxa proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All TN-5900 devices running firmware up to and including version 3.1 are vulnerable regardless of configuration.

📦 What is this software?

Tn 5900 Firmware by Moxa

View all CVEs affecting Tn 5900 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to permanent device damage, network disruption, and lateral movement into connected networks.

🟠

Likely Case

Remote code execution allowing attackers to reconfigure devices, intercept traffic, or use devices as network footholds.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Command injection vulnerabilities are easily exploitable and devices directly exposed to the internet are at immediate risk.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Command injection vulnerabilities typically have low exploitation complexity and can be exploited with simple HTTP requests containing malicious payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.2 or later

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/tn-5900-secure-routers-vulnerabilitiestxt

Restart Required: Yes

Instructions:

1. Download firmware version 3.2 or later from Moxa support portal. 2. Backup current configuration. 3. Upload new firmware via web interface or CLI. 4. Reboot device. 5. Verify firmware version after reboot.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate TN-5900 devices from untrusted networks and restrict access to management interfaces.

Access Control Lists

all

Implement strict firewall rules to limit which IP addresses can communicate with the device management interfaces.

🧯 If You Can't Patch

Deploy network-based intrusion prevention systems (IPS) to detect and block command injection attempts
Implement strict network segmentation to isolate vulnerable devices from critical network segments

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > System Information) or CLI command 'show version'

Check Version:

show version

Verify Fix Applied:

Verify firmware version is 3.2 or higher using same methods as checking vulnerability

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful access
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from router
Traffic patterns inconsistent with normal operation
HTTP requests with shell metacharacters or command injection patterns

SIEM Query:

source="tn-5900-logs" AND ("cmd.exe" OR "bash" OR "sh" OR "|" OR ";" OR "$" OR "`")

📊 Metadata

CVE ID: CVE-2021-46560

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: January 26, 2022

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46560, you might also want to check these: