Login Sign Up

CVE-2022-40224

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows remote attackers to cause denial of service in Moxa SDS-3008 industrial switches by sending specially crafted HTTP headers. Attackers can crash the web server functionality, disrupting network management access. Organizations using affected Moxa switches in industrial environments are at risk.

💻 Affected Systems

Products:
  • Moxa SDS-3008 Series Industrial Ethernet Switch
Versions: Version 2.1
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects web server functionality; switching/routing functions may continue operating during attack.

📦 What is this software?

Sds 3008 Firmware by Moxa

View all CVEs affecting Sds 3008 Firmware →

Sds 3008 T Firmware by Moxa

View all CVEs affecting Sds 3008 T Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete web server crash requiring physical reset or reboot of the industrial switch, disrupting network management and potentially affecting industrial operations.

🟠

Likely Case

Temporary denial of service to the web management interface, requiring manual intervention to restore access.

🟢

If Mitigated

Minimal impact if switches are behind firewalls with restricted HTTP access and proper network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires network access to HTTP port but no authentication. Simple HTTP request with malicious header can trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.2 or later

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/sds-3008-series-multiple-web-vulnerabilities

Restart Required: Yes

Instructions:

1. Download firmware version 2.2 or later from Moxa support site. 2. Backup current configuration. 3. Upload new firmware via web interface or console. 4. Reboot switch. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Restrict HTTP Access

all

Block external HTTP access to switch management interface using firewall rules

Disable Web Interface

all

Disable HTTP/HTTPS web management and use console/SSH only

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate industrial switches from untrusted networks
  • Deploy network monitoring to detect abnormal HTTP traffic patterns to switch management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > System Information) or console command 'show version'

Check Version:

show version

Verify Fix Applied:

Confirm firmware version is 2.2 or higher and test HTTP connectivity remains stable

📡 Detection & Monitoring

Log Indicators:

  • Web server crash logs
  • HTTP connection resets
  • Abnormal HTTP header patterns

Network Indicators:

  • Multiple HTTP requests with unusual header patterns to switch management IP on port 80/443

SIEM Query:

source_ip=* AND dest_port IN (80,443) AND dest_ip=[switch_ip] AND http_header CONTAINS [malicious_pattern]

📊 Metadata

CVE ID: CVE-2022-40224
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-410
Published: February 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-40224, you might also want to check these:

CVE-2021-1615 8.6

An unauthenticated remote attacker can cause denial of service on Cisco Catalyst Access Points by se...

Same vulnerability type (CWE-410)
CVE-2025-0453 7.5

This vulnerability in MLflow's GraphQL endpoint allows attackers to cause denial of service by sendi...

Same vulnerability type (CWE-410)
CVE-2025-41653 7.5

An unauthenticated remote attacker can cause denial-of-service by sending specially crafted HTTP req...

Same vulnerability type (CWE-410)