Moxa Secure Router Remote Crash Vulnerability Explained

Moxa, a leading industrial networking and communications manufacturer, has disclosed two serious security vulnerabilities affecting its Secure Router product line.

Tracked as CVE-2026-3867 and CVE-2026-3868, these flaws span improper ownership management and a dangerous buffer overflow condition in the HTTPS management interface.

With the high-severity CVE-2026-3868 carrying a CVSS 4.0 score of 8.7 and enabling unauthenticated remote exploitation, operators of critical infrastructure must treat this disclosure as an urgent remediation priority.

Moxa Secure Router Vulnerability

CVE-2026-3867 is classified under CWE-282: Improper Ownership Management and exploits a file permission flaw in Moxa’s Secure Router firmware. Due to incorrectly assigned ownership on a configuration file, a low-privileged authenticated user can access the file and read the hashed password of the administrative account.

This attack vector aligns with CAPEC-122: Privilege Abuse, where an attacker leverages legitimate but excess permissions to escalate access. Exploitation is conditional on the configuration file having been previously exported, but the risk of credential harvesting is real, particularly in environments with shared or inadequately segmented user accounts.

CVE-2026-3868 is significantly more dangerous. It is classified under CWE-130: Improper Handling of Length Parameter Inconsistency and maps to CAPEC-47: Buffer Overflow via Parameter Expansion.

An unauthenticated remote attacker can send specially crafted HTTPS requests to the router’s management interface, triggering a buffer overflow that causes the web service to crash.

Recovery requires a full device reboot, making this a high-impact Denial-of-Service (DoS) vulnerability that can disrupt critical industrial operations with no authentication required.

CVE	CVSS 4.0 Score	Severity	Unauthenticated Remote Exploit	Primary Impact
CVE-2026-3867	6.0	Medium	No	Confidentiality (credential exposure)
CVE-2026-3868	8.7	High	Yes	Availability (DoS via buffer overflow)

CVE-2026-3868’s attack vector is Network (AV:N), with Low Attack Complexity (AC:L), No Attack Requirements (AT:N), and No Privileges Required (PR:N), making it trivially exploitable from any network-reachable endpoint. Moxa explicitly urges immediate patching for CVE-2026-3868 given this risk profile.

Affected Products and Fixed Firmware Versions

Moxa’s advisory covers a broad range of industrial-grade secure router and security appliance product lines:

TN-4900 Series – Firmware v3.22 and earlier → Update to v3.24 or later
EDR-8010 Series – Firmware v3.23 and earlier → Update to v3.24 or later
EDR-G9010 Series – Firmware v3.23.1 and earlier → Update to v3.24 or later
OnCell G4302-LTE4 Series – Firmware v3.23.0 and earlier → Contact Moxa Technical Support for v3.24.1 patch
OnCell G4308-LTE4 Series – Firmware v3.23.0 and earlier → Contact Moxa Technical Support for v3.24.1 patch
EDF-G1002-BP Series – Firmware v3.23 and earlier → Update to v3.24 or later

The TN-4900 series has previously been targeted in multiple firmware-level exploits, including privilege escalation and command injection vulnerabilities disclosed in 2023 and 2025, making this latest advisory part of a persistent attack surface that demands continuous vigilance.

CVE-2026-3867 exploits a misconfigured file ownership boundary. When a configuration file is exported from the device, improper permissions allow a non-administrative authenticated user to read its contents, including the hashed administrator password.

An attacker who obtains this hash can apply offline brute-force or dictionary attacks to recover the plaintext credential, ultimately gaining full administrative control of the router.

CVE-2026-3868 exploits the HTTPS management interface by sending HTTP requests with malformed or excessively long length parameters. The firmware copies user-supplied input into a fixed-size buffer without validating length constraints, overwriting adjacent memory.

Unlike traditional buffer overflows that may lead to code execution, this specific vulnerability’s exploit results in a web service crash and denial-of-service. In OT/ICS environments where router uptime is mission-critical, even a temporary availability loss can have cascading operational consequences.

Mitigation

Moxa recommends immediate firmware upgrades. For environments where patching is operationally constrained, the following mitigations reduce exposure:

Restrict network access using firewalls and ACLs; limit management interface access to trusted IP addresses only
Network segmentation: Isolate OT networks from enterprise IT networks using VLANs or physical separation
Disable unused services and ports to minimize the attack surface on all affected devices
Enforce MFA and RBAC: Implement multi-factor authentication and role-based access control for all privileged accounts
Use VPN or SSH for all remote management sessions, never expose the HTTPS management interface directly to the internet
Enable anomaly detection and logging: Monitor for unusual HTTPS request patterns or repeated management interface crashes that could indicate an active exploitation attempt of CVE-2026-3868.
Establish a patch management schedule: Given Moxa’s history of recurring firmware-level vulnerabilities, a defined patching cadence is essential.