Moxa Industrial Ethernet Switches Affected by OpenSSH `ssh-agent` RCE (CVE-2023-38408)
Moxa issued guidance for a critical remote code execution (RCE) risk affecting multiple industrial Ethernet switch lines due to CVE-2023-38408 in the OpenSSH ssh-agent PKCS#11 feature (OpenSSH versions prior to 9.3p2). The flaw is described as an unreliable/unquoted search path issue (CWE-428) and is characterized as an incomplete fix related to CVE-2016-10009; exploitation can lead to full device compromise impacting confidentiality, integrity, and availability, with a reported CVSS 3.1 score of 9.8.
Impacted products include Moxa EDS series switches (e.g., EDS-G4000, EDS-4008/4009/4012/4014, EDS-G4008/G4012/G4014) running firmware v4.1 or earlier, and RKS series switches (e.g., RKS-G4000, RKS-G4028, RKS-G4028-L3) running firmware v5.0 or earlier. Moxa’s remediation requires obtaining patches via Moxa Technical Support rather than public download; the cited target versions are 4.1.58 for EDS and 5.0.4 for RKS. Until updates can be applied, recommended mitigations include restricting network access (e.g., firewalls/ACLs) and segmenting OT networks (e.g., VLAN separation) to limit exposure.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Moxa makes patched firmware available through technical support
Moxa provided remediation guidance and made fixed firmware available via Moxa Technical Support rather than public download, including versions such as EDS 4.1.58 and RKS 5.0.4. The company also recommended interim mitigations including network segmentation, restricted access, hardening authentication, avoiding Internet exposure, and monitoring for anomalies.
Moxa issues advisory for affected EDS and RKS Ethernet switches
Moxa disclosed that multiple industrial Ethernet switch models in its EDS and RKS series were affected by CVE-2023-38408, including EDS firmware 4.1 or earlier and RKS firmware 5.0 or earlier. The company warned that exploitation could lead to full system compromise and pose risks to OT environments.
OpenSSH flaw CVE-2023-38408 disclosed as incomplete fix for CVE-2016-10009
CVE-2023-38408 was identified in OpenSSH's ssh-agent PKCS#11 feature, where an unreliable library search path could allow remote code execution when agent forwarding is used to an attacker-controlled system. The issue was described as an incomplete fix for CVE-2016-10009 and assigned a CVSS score of 9.8.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Critical OpenSSH Vulnerability Exposes Moxa Ethernet Switches to Remote Code Execution
cybersecuritynews.com
Open sourceCritical Alert: Moxa Switches Exposed to OpenSSH Remote Code Execution (CVSS 9.8)
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Moxa Warns Linux Kernel Flaws Could Enable Root Access on Industrial Devices
Moxa issued advisory **MPSA-263140** for multiple industrial and embedded computing product lines affected by three Linux kernel vulnerabilities: **CVE-2026-31431** ("**Copy Fail**") and **CVE-2026-43284** plus **CVE-2026-43500** ("**Dirty Frag**"). The company said the flaws could allow unprivileged local users to gain administrative or root access on affected devices, with added risk of container escape and host compromise in environments running untrusted workloads. Canada’s Cyber Centre separately alerted operators to review Moxa’s guidance for impacted **UC, V, VM, ioThinx, AIG, BXP, DRP, and RKP** series products. Because permanent fixes were not yet broadly available for all affected Moxa platforms, the vendor urged immediate mitigations such as blacklisting or unloading vulnerable kernel modules including `rxrpc`, `esp4`, and `esp6`, while warning that disabling `esp4` and `esp6` can break **IPsec/VPN** connectivity and some devices require bootloader changes because `algif_aead` is built into the kernel. For CTOS-based Debian systems, Moxa advised updating from Debian security repositories, reinstalling the x86 SDK, and rebooting. The advisory follows wider industry response to the same kernel bugs: **CVE-2026-31431** was added to CISA’s **Known Exploited Vulnerabilities** catalog, Ubuntu released mitigations that disable the vulnerable module, and Red Hat published OpenShift guidance for Dirty Frag-related exposure.
May 27, 2026
Moxa Product Flaws Enable Privilege Escalation and Security Policy Bypass
CERT-FR published two advisories covering vulnerabilities in **Moxa** products, warning that the flaws could let attackers **escalate privileges** and undermine core security controls. One notice said successful exploitation could also affect **data confidentiality** and **data integrity**, raising concern for industrial and networked environments where Moxa equipment is commonly deployed. A separate CERT-FR notice reported another Moxa vulnerability that could allow an attacker to **bypass the security policy**. The advisories did not provide further technical details in the referenced content, including affected models, `CVE` identifiers, or specific remediation steps, leaving organizations to monitor vendor and national CERT guidance closely for product impact and patch information.
Apr 27, 2026
Moxa DA Series BIOS/Intel Firmware Vulnerabilities Affecting Industrial PCs
**Moxa** published security advisories for its industrial computer **DA Series** indicating that multiple vulnerabilities in underlying **Intel firmware components** can impact affected devices, including conditions leading to **remote denial of service**, **privilege escalation**, and potential **confidentiality** impacts. Affected systems include **DA-682C** (BIOS versions prior to `v1.6`), **DA-820C** (prior to `v1.3`), and **DA-820E** (as listed by CERT-FR), with the Canadian Centre for Cyber Security also flagging DA Series BIOS exposure broadly and calling out DA-682C BIOS `v1.5` and earlier and DA-820C BIOS `v1.2` and earlier. The advisories map to Intel security issues including **Intel BIOS firmware DoS** (**INTEL-SA-00813**) and multiple vulnerabilities in **Intel CSME/AMT** (**INTEL-SA-00391**, **INTEL-SA-00709**). CERT-FR’s notice references related CVEs (including **CVE-2020-8747**, **CVE-2020-8749**, **CVE-2020-8752**, and **CVE-2022-28697**) and directs organizations to apply vendor-provided BIOS updates and mitigations from Moxa’s bulletins (`mpsa-256821`, `mpsa-256822`, `mpsa-256823`) to reduce exposure in operational technology environments.
Mar 21, 2026