CVE-2017-12127
Description
A password storage vulnerability exists in the operating system functionality of Moxa EDR-810 V4.1 build 17030317. An attacker with shell access could extract passwords in clear text from the device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moxa EDR-810 V4.1 stores user passwords in plaintext in a configuration file, allowing attackers with shell access to extract credentials.
Vulnerability
The Moxa EDR-810 industrial secure router running firmware version V4.1 build 17030317 stores user account credentials in plaintext within the file /magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG [1]. This file mirrors the contents of /etc/shadow but with passwords in cleartext, violating secure password storage practices (CWE-256) [1].
Exploitation
An attacker who has already obtained shell access to the device (e.g., through another vulnerability or legitimate administrative access) can simply read the plaintext password file using a command such as cat /magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG [1]. No additional authentication or user interaction is required beyond the initial shell access.
Impact
Successful exploitation allows the attacker to retrieve all user passwords in cleartext, leading to full compromise of the device's user accounts [1]. This can enable lateral movement within the network or privilege escalation, as the attacker can then authenticate as any user whose password is stored.
Mitigation
Moxa released a patched firmware version on April 12, 2018, which addresses this vulnerability [1]. Users should update to the latest firmware available from Moxa's website. No workaround is provided; the only mitigation is to apply the firmware update. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The device stores user credentials in plaintext in the USER_ACCOUNT.CFG file instead of using hashed or encrypted passwords."
Attack vector
An attacker must first obtain shell access to the Moxa EDR-810 device (V4.1 build 17030317). Once shell access is achieved, the attacker can read the file `/magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG` to extract all stored passwords in clear text [ref_id=1]. The vulnerability is classified as CWE-256 (Plaintext Storage of a Password) [ref_id=1].
Affected code
The device stores credentials in plaintext in the file `/magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG`. This file mirrors the contents of `/etc/shadow`, except all passwords are stored in clear text [ref_id=1].
What the fix does
The vendor (Moxa) patched the issue and published new firmware on April 12, 2018 [ref_id=1]. The advisory does not specify the exact changes made in the patch, but the remediation would involve ensuring that passwords are not stored in plaintext in the USER_ACCOUNT.CFG file, and instead using proper hashing or encryption for credential storage [ref_id=1].
Preconditions
- authAttacker must have shell access to the Moxa EDR-810 device
- configDevice must be running Moxa EDR-810 V4.1 build 17030317
Reproduction
cat /magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG [ref_id=1]
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0479mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.