CVE-2023-33237
📋 TL;DR
This vulnerability allows low-privileged users to execute restricted actions intended only for high-privileged users due to improper authentication in the web API handler. It affects TN-5900 Series devices running firmware version v3.3 and earlier. Attackers could potentially gain unauthorized control over affected devices.
💻 Affected Systems
- TN-5900 Series
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to modify configurations, disrupt operations, or use the device as a pivot point into the network.
Likely Case
Unauthorized configuration changes, data exposure, or service disruption by authenticated low-privileged users.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized access to the web API.
🎯 Exploit Status
Exploitation requires authenticated access but with low privileges. The vulnerability is in authentication logic, making exploitation straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.4 or later
Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities
Restart Required: Yes
Instructions:
1. Download firmware v3.4 or later from Moxa support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface or console. 4. Restart device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Restrict network access
allLimit access to the device's web interface to trusted networks only.
Disable unnecessary accounts
allRemove or disable low-privileged user accounts that are not required for operations.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices from critical networks.
- Monitor and audit all access to the device web interface for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: System > Maintenance > Firmware Information. If version is v3.3 or earlier, device is vulnerable.Check Version:
No CLI command available. Use web interface at System > Maintenance > Firmware Information.Verify Fix Applied:
After patching, verify firmware version shows v3.4 or later in System > Maintenance > Firmware Information.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls from low-privileged accounts
- Configuration changes from non-admin users
- Failed authentication attempts followed by successful restricted actions
Network Indicators:
- Unusual traffic patterns to web API endpoints from internal sources
- Multiple API requests from single low-privileged account in short timeframe
SIEM Query:
source="tn-5900" AND (event_type="api_call" AND user_role="low_privilege" AND action="restricted")