CVE-2017-12128
Description
An exploitable information disclosure vulnerability exists in the Server Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted TCP packet can cause information disclosure. An attacker can send a crafted TCP packet to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moxa EDR-810 V4.1 build 17030317 exposes sensitive device info when a crafted TCP packet with byte 0x21 is sent to port 4000.
Vulnerability
An exploitable information disclosure vulnerability exists in the Server Agent functionality of Moxa EDR-810 V4.1 build 17030317 [1]. When a specially crafted TCP packet containing the byte 0x21 is sent to TCP port 4000, the device replies with sensitive system information including model, firmware version, serial number, network configuration, and MAC address [1]. The vulnerability is classified as CWE-213 (Intentional Information Exposure) [1].
Exploitation
An attacker can trigger this vulnerability by sending a single TCP packet with the byte 0x21 to TCP port 4000 of the target device [1]. No authentication, user interaction, or special network position beyond network access to the device is required [1]. The device responds by calling the DoShowInfo function, which gathers system information and returns it in plain text over the same TCP connection [1].
Impact
Successful exploitation allows an unauthenticated, remote attacker to obtain detailed device configuration information, including the device model (EDR-810-VPN-2GSFP), name, serial number, firmware version (V3.13 build 16051215), location string, LAN IP address, netmask, gateway, and MAC address [1]. This information can be used to map the network, identify potential targets for further attacks, or aid in social engineering [1]. The CVSSv3 score for this vulnerability is 5.3 (Medium) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [1].
Mitigation
As of the publication date of this advisory (2018-05-14), no official patch or firmware update had been released to address this vulnerability in Moxa EDR-810 V4.1 build 17030317 [1]. Users should monitor Moxa’s security advisories and update to a patched firmware version when available. Until a fix is applied, restricting network access to TCP port 4000 to trusted hosts only is recommended as a workaround [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Server Agent on TCP port 4000 exposes the `DoShowInfo` function to unauthenticated clients, leaking sensitive system configuration data."
Attack vector
An unauthenticated attacker can send a single crafted TCP packet containing the byte 0x21 to the device on TCP port 4000 [ref_id=1]. No authentication or prior interaction is required. The device responds with sensitive system configuration details including model, serial number, firmware version, network addressing, and MAC address [ref_id=1]. This is classified as CWE-213 (Intentional Information Exposure) [ref_id=1].
Affected code
The vulnerability resides in the Server Agent functionality listening on TCP port 4000. When the server receives byte 0x21, it calls the `DoShowInfo` function, which gathers system information (model, name, serial number, firmware version, location, LAN address, netmask, gateway, MAC address) and sends it back to the client via `net_data_send` [ref_id=1].
What the fix does
The advisory does not include a patch diff. According to the timeline, the vendor published new firmware on April 12, 2018 to address this vulnerability [ref_id=1]. The fix presumably restricts access to the `DoShowInfo` function so that only authenticated or authorized clients can trigger the system information disclosure, or removes the unauthenticated handler for byte 0x21 on TCP port 4000 [ref_id=1].
Preconditions
- networkAttacker must be able to reach TCP port 4000 on the target device
- authNo authentication required
Reproduction
Send the byte 0x21 to the device on TCP port 4000. For example: `echo -ne '\x21' | nc 127.0.0.1 4000` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0480mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.