CVE-2017-12129
Description
An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moxa EDR-810 V4.1 uses unsalted MD5 hashes for password transmission, allowing interception and offline brute-force cracking.
Vulnerability
The Moxa EDR-810 web server, version V4.1 build 17030317, employs weak cryptography for password handling. After initial authentication, each subsequent HTTP request includes the password as an unsalted MD5 hash in the PASSWORD cookie parameter. This design flaw (CWE-216) makes the password hash trivially susceptible to offline brute-force attacks [1].
Exploitation
An attacker with network access to the administrative interface can intercept the HTTP traffic using standard packet capture tools. By extracting the PASSWORD cookie value from any authenticated request (e.g., a GET to /overview.asp), the attacker obtains the MD5 hash of the admin password. No authentication or user interaction is required beyond the capture of a single traffic sample. The attacker then performs an offline dictionary or brute-force attack against the captured hash to recover the plaintext password [1].
Impact
Successful exploitation reveals the device's administrative password. This grants the attacker unauthorized access to the web interface, allowing full control over device configuration, network settings, and security policies. The impact is limited to confidentiality of the password, with no direct remote code execution, but elevated access can be leveraged against the network [1].
Mitigation
Moxa released a patched firmware version on April 12, 2018, which fixes this vulnerability. Users should update to the latest firmware available from Moxa's support website. No workaround is documented for unpatched versions; upgrading is the only mitigation [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The web server transmits the user password as an unsalted MD5 hash in the HTTP cookie, enabling offline brute-force recovery."
Attack vector
An attacker with network access to the Moxa EDR-810 can intercept HTTP traffic (e.g., via ARP spoofing or passive sniffing on a local network) and extract the `PASSWORD` cookie value, which contains an unsalted MD5 hash of the device password [ref_id=1]. Because the hash is unsalted, the attacker can perform offline brute-force or dictionary attacks to recover the plaintext password [CWE-216]. The attack requires adjacency to the device (CVSS:3.0/AV:A) and no authentication, but the attacker must wait for an authenticated user to make a request [ref_id=1].
Affected code
The web server functionality of Moxa EDR-810 V4.1 build 17030317 transmits the user password as an unsalted MD5 hash in the `PASSWORD` cookie parameter with every authenticated request [ref_id=1]. No specific source file is named in the advisory, but the affected component is the HTTP cookie-handling logic that sets the `PASSWORD` field [ref_id=1].
What the fix does
The advisory states that the vendor published a patched firmware on 2018-04-12, but no patch diff is included in the bundle [ref_id=1]. The recommended remediation is to replace the unsalted MD5 hash with a strong, salted hashing algorithm (e.g., bcrypt, scrypt, or PBKDF2) and to transmit the credential over a TLS-protected session to prevent interception [ref_id=1]. Without a salt, the MD5 hash is trivially susceptible to rainbow-table and brute-force attacks.
Preconditions
- networkAttacker must be on the same network segment (adjacent) to the Moxa EDR-810 to intercept HTTP traffic.
- inputAn authenticated user must make an HTTP request to the device so the PASSWORD cookie is transmitted.
Reproduction
Intercept an authenticated HTTP request to the Moxa EDR-810 web interface. The `PASSWORD` cookie parameter contains an unsalted MD5 hash of the user's password, as shown in the following captured request [ref_id=1]:
``` GET /overview.asp HTTP/1.1 Host: 192.168.127.254 Cookie: NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; ... ```
Extract the MD5 hash and crack it offline using a dictionary or brute-force tool (e.g., hashcat or John the Ripper) to recover the plaintext password [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0481mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.