CVE-2017-12126
Description
An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Moxa EDR-810 V4.1 build 17030317 lets attackers perform actions as authenticated users via malicious HTML.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in the web server of Moxa EDR-810 running firmware version V4.1 build 17030317. The device lacks anti-CSRF tokens and does not allow users to log out, leaving sessions perpetually valid [1].
Exploitation
An attacker can craft a malicious HTML page that automatically submits a request to the device. The victim must be logged into the device and visit the attacker-controlled page; no other privileges are needed. For example, a rendered form can change network settings or add users without the victim's knowledge [1].
Impact
Successful exploitation enables the attacker to execute any action the authenticated user can perform, including modifying firewall rules, uploading firmware, or adding administrative accounts. This can be chained with a command injection to gain a root shell on the device, leading to full compromise [1].
Mitigation
The vendor released a patched firmware on April 12, 2018. Users should upgrade to the latest version. No workaround is available if the device cannot be updated [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing anti-CSRF token validation and absence of origin/referer checks on HTTP form handlers allows an attacker to forge authenticated requests."
Attack vector
An attacker crafts malicious HTML (e.g., a hidden form that auto-submits via JavaScript) and lures an authenticated user into visiting the attacker's page [ref_id=1]. Because the Moxa EDR-810 web server does not validate a CSRF token or any origin/referer header, the browser automatically includes the victim's session cookie with the forged request [CWE-352]. The malicious request can perform any action the logged-in user is authorized to take, such as adding a new user or modifying firewall rules [ref_id=1]. The attack is compounded by the fact that the device does not provide a logout mechanism, so a user's session remains valid indefinitely [ref_id=1].
Affected code
The vulnerability exists in the web server functionality of Moxa EDR-810 running firmware V4.1 build 17030317. The advisory identifies the endpoint `/goform/net_WebPingGetValue` as one example of a form handler that accepts POST requests without CSRF protection [ref_id=1]. No specific source file or function name is provided in the advisory.
What the fix does
The advisory does not include a patch diff or source-level fix details. According to the timeline, the vendor released patched firmware on April 12, 2018 [ref_id=1]. The recommended remediation is to implement anti-CSRF tokens or other origin-validation mechanisms on all state-changing form handlers, and to provide a session logout function so that sessions do not remain valid indefinitely [ref_id=1].
Preconditions
- authThe victim must have an active authenticated session on the Moxa EDR-810 web interface.
- inputThe victim must visit a malicious HTML page (e.g., delivered via phishing or a cross-origin embed) while the session is active.
- networkThe attacker must know or guess the IP address of the target device (default 192.168.127.254 in the PoC).
Reproduction
1. Log in to the Moxa EDR-810 web interface at `http://192.168.127.254` (or the device's actual IP). 2. In a separate browser tab, open the attacker's HTML page (the PoC below auto-submits a POST to `/goform/net_WebPingGetValue`). 3. Observe that the forged request is accepted and executed, demonstrating that no CSRF token or origin check is enforced.
PoC HTML (from [ref_id=1]): ```html
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0478mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.