CVE-2017-12120
Description
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation, resulting in a root shell. An attacker can inject OS commands into the ip= parm in the "/goform/net_WebPingGetValue" URI to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Moxa EDR-810 web server allows authenticated attackers to execute arbitrary OS commands as root via the ping diagnostic page.
Vulnerability
The /goform/net_WebPingGetValue endpoint in Moxa EDR-810 firmware version V4.1 build 17030317 suffers from an OS command injection vulnerability. The ip= parameter is passed unsanitized into a ping command executed via system(). While client-side validation exists, it can be bypassed by directly sending HTTP POST requests with tools like curl; no server-side filtering is applied [1].
Exploitation
An attacker must first authenticate to the device's web interface. They then craft a POST request to the vulnerable URI with shell metacharacters (e.g., backticks or semicolons) in the ip= parameter. The injected command is executed by the web server process, which runs with root privileges [1].
Impact
Successful exploitation gives the attacker a root shell on the device, resulting in full compromise of confidentiality, integrity, and availability. They can read and modify all files, alter configuration, or pivot to other network targets [1].
Mitigation
As of the Talos advisory (May 18, 2017), no vendor patch was available. Users should contact Moxa for firmware updates or restrict network access to the web interface. If possible, disable the ping diagnostic feature entirely [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side input validation of the `ip=` parameter allows OS command injection via shell metacharacters."
Attack vector
An attacker must first authenticate to the device's web interface to reach the diagnostic ping page [ref_id=1]. The page performs only client-side input validation, which can be trivially bypassed by sending requests directly with tools such as cURL or Wget [ref_id=1]. By injecting backtick-enclosed OS commands into the `ip=` parameter of a POST to `/goform/net_WebPingGetValue`, the attacker's payload is interpolated into a shell command executed via `system()`, resulting in command injection [CWE-78] [ref_id=1]. The proof-of-concept payload `ip=\`tcpsvd 0 5000 /bin/bash\`#` causes the device to spawn a root shell on TCP port 5000 [ref_id=1].
Affected code
The vulnerability resides in the `/goform/net_WebPingGetValue` URI of the Moxa EDR-810 web server (firmware V4.1 build 17030317). The `ip=` parameter is passed unsanitized into a `sprintf` call that builds a shell command string, which is then executed by `system()` [ref_id=1]. The resulting command template is `echo "$(ping -c 4 %s -q -W 3| grep 'received' | cut -d ' ' -f4)" > /mnt/ramdisk/MagicPingResult`, where `%s` is the attacker-controlled input [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the vendor released patched firmware on April 12, 2018 [ref_id=1]. The fix should implement server-side validation or sanitization of the `ip=` parameter before it is used in the shell command, preventing special characters such as backticks or command separators from being interpreted by the shell. Without such sanitization, any authenticated user can achieve privilege escalation to a root shell [ref_id=1].
Preconditions
- authAttacker must have valid credentials to log into the device's web interface
- networkAttacker must be able to send HTTP POST requests to the device on the network
- inputThe client-side JavaScript validation must be bypassed by sending raw HTTP requests
Reproduction
The following POST request will start a root shell on port 5000 [ref_id=1]:
``` POST: /goform/net_WebPingGetValue HTTP/1.1 Host: DeviceIP Cookie: Valid-Cookie Content-Type: application/x-www-form-urlencoded
pingTemp=127.0.0.1&ifs=1&ip=`tcpsvd 0 5000 /bin/bash`# ```
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0472mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.