CVE-2017-12125
Description
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the CN= parm in the "/goform/net_WebCSRGen" uri to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Moxa EDR-810 web server allows authenticated attackers to execute OS commands as root via crafted HTTP POST.
Vulnerability
An OS command injection vulnerability exists in the web server of Moxa EDR-810 V4.1 build 17030317. The /goform/net_WebCSRGen endpoint does not properly sanitize the CN parameter, allowing injection of arbitrary OS commands. [1]
Exploitation
An attacker must first authenticate to the web interface. By sending a crafted HTTP POST request to /goform/net_WebCSRGen with a command injection payload in the CN parameter, the device executes the injected command via system(). A proof-of-concept POST can start a root shell on port 5000. [1]
Impact
Successful exploitation grants an attacker root-level command execution, leading to full compromise of confidentiality, integrity, and availability of the device. The CVSSv3 score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). [1]
Mitigation
The vendor released a patched firmware on April 12, 2018. Users should upgrade to the latest version available on Moxa's website. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `CN=` parameter in the `/goform/net_WebCSRGen` endpoint is passed unsanitized to the `system()` library call, allowing OS command injection."
Attack vector
An attacker must first authenticate to the device's web interface. Once logged in, a crafted HTTP POST to `/goform/net_WebCSRGen` with OS command injection in the `CN=` parameter triggers the vulnerability [ref_id=1]. The injected commands are executed via `system()` with root privileges, allowing the attacker to achieve a root shell [ref_id=1]. The proof-of-concept uses backtick-delimited commands, e.g. `CN=\`tcpsvd 0 5000 /bin/bash\`#` [ref_id=1].
Affected code
The vulnerable endpoint is `/goform/net_WebCSRGen`, which accepts a POST request. The `CN=` parameter is passed directly to the `system()` library call without sanitization, as shown in the disassembly where the value extracted via `strstr` for "CN=" is later passed to `system` [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the vendor released patched firmware on 2018-04-12 [ref_id=1]. The fix would require proper neutralization of special OS command characters in the `CN=` parameter before it reaches `system()`, or replacing the `system()` call with a safer API that does not invoke a shell [ref_id=1].
Preconditions
- authAttacker must have valid credentials to log into the device's web interface
- networkAttacker must be able to send HTTP POST requests to the device
- inputThe CN parameter value is attacker-controlled and unsanitized
Reproduction
Send the following HTTP POST to the target device (replace DeviceIP and Cookie values):
``` POST: /goform/net_WebCSRGen HTTP/1.1 Host: DeviceIP Cookie: Valid-Cookie Content-Type: application/x-www-form-urlencoded
CN=`tcpsvd 0 5000 /bin/bash`# ```
This starts a root shell listening on port 5000 [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0477mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.