CVE-2017-12121
Description
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moxa EDR-810 V4.1 build 17030317 web interface allows authenticated OS command injection via the `rsakey_name` parameter, leading to root shell.
Vulnerability
The web server of Moxa EDR-810 V4.1 build 17030317 contains an exploitable OS command injection vulnerability (CWE-78) in the /goform/WebRSAKEYGen endpoint. When an authenticated user sends a POST request to generate an RSA key, the rsakey_name parameter is passed unsanitized into the system() call via MIPS binary code [1].
Exploitation
An attacker must first have valid credentials to the device's web interface, enabling authenticated HTTP POST requests. The exploit injects a command enclosed in backticks into the rsakey_name parameter; for example, rsakey_name=\tcpsvd 0 5000 /bin/bash\# spawns a root shell on TCP port 5000 [1]. The device firmware uses MIPS big-endian architecture.
Impact
Successful exploitation yields a root shell with full privileges on the device. An attacker can then read, modify, or delete any data, install persistent backdoors, and pivot into the internal OT network. This results in complete compromise of confidentiality, integrity, and availability [1]. The CVSSv3 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Mitigation
Moxa patched this vulnerability in firmware version V4.2 released on 2018-04-12 [1]. Users should upgrade to V4.2 or later. No other workaround is documented; the device's web interface should be restricted to trusted networks only. This CVE does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `rsakey_name` parameter is passed unsanitized to the `system()` function, allowing OS command injection."
Attack vector
An attacker must first authenticate to the device's web interface. Once logged in, they send a crafted HTTP POST to `/goform/net_WebRSAKEYGen` with backtick-delimited OS commands embedded in the `rsakey_name=` parameter. The server passes the unsanitized value to `system()`, executing the injected commands with root privileges [CWE-78] [ref_id=1].
Affected code
The vulnerable endpoint is `/goform/net_WebRSAKEYGen` and the injectable parameter is `rsakey_name=`. The binary receives the user-supplied value and passes it directly to the `system()` function without sanitization, as shown in the reverse-engineered code snippet [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the vendor released patched firmware on 2018-04-12 [ref_id=1]. The fix should neutralize shell metacharacters (such as backticks) in the `rsakey_name` parameter before it reaches `system()`, or replace the `system()` call with a safer API that does not invoke a shell interpreter.
Preconditions
- authAttacker must have valid credentials and be logged into the device's web interface
- networkAttacker must be able to send HTTP POST requests to the device over the network
- inputThe vulnerable parameter rsakey_name= accepts arbitrary user-controlled input
Reproduction
Send the following HTTP POST to the target device (replace DeviceIP and Valid-Cookie with actual values):
``` POST: /goform/net_WebRSAKEYGen HTTP/1.1 Host: DeviceIP Cookie: Valid-Cookie Content-Type: application/x-www-form-urlencoded
rsakey_name=`tcpsvd 0 5000 /bin/bash`# ```
This starts a root shell listening on port 5000 [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0473mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.