CVE-2017-14432
Description
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the openvpnServer0_tmp= parameter in the "/goform/net\_Web\_get_value" uri to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Moxa EDR-810 web server allows authenticated attackers to execute OS commands as root via the openvpnServer0_tmp parameter.
Vulnerability
A command injection vulnerability exists in the web server of Moxa EDR-810 V4.1 build 17030317. The /goform/net_Web_get_value endpoint does not sanitize the openvpnServer0_tmp POST parameter, allowing injection of arbitrary OS commands. The vulnerability is identified as CVE-2017-14432 [1].
Exploitation
An attacker must have valid credentials to log into the device's web interface. By sending a crafted HTTP POST request to /goform/net_Web_get_value with malicious content in the openvpnServer0_tmp parameter, the injected commands are executed on the device [1].
Impact
Successful exploitation results in privilege escalation to a root shell, giving the attacker full control over the device. This can lead to complete compromise of confidentiality, integrity, and availability [1].
Mitigation
As of the publication date, no official fix has been disclosed. Users should monitor Moxa's advisory for updated firmware. Restricting network access to the web interface and using strong authentication may reduce risk [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of special elements (backtick shell metacharacters) in the openvpnServer0_tmp POST parameter allows OS command injection."
Attack vector
An attacker must first authenticate to the device's web interface [ref_id=1]. Once logged in, they send a crafted HTTP POST to "/goform/net_Web_get_value?SRV=SRV_OPENVPN_SERVER_USER" with a malicious payload in the "openvpnServer0_tmp" parameter [ref_id=1]. The payload uses backtick-delimited OS commands (e.g., `sleep 10`) which are not neutralized before being passed to the shell [CWE-78]. Because the web server runs as root, the injected commands execute with full system privileges, resulting in a root shell [ref_id=1].
Affected code
The vulnerable endpoint is the URI "/goform/net_Web_get_value" in the web server of Moxa EDR-810 V4.1 build 17030317. The specific parameter "openvpnServer0_tmp=" is passed unsanitized into an OS command, allowing injection [ref_id=1]. The web server runs as root, so any injected command executes with root privileges [ref_id=1].
What the fix does
The vendor patched the vulnerability and published new firmware on 2018-04-12 [ref_id=1]. The advisory does not include a patch diff, but the fix presumably sanitizes or escapes shell metacharacters (such as backticks) in the "openvpnServer0_tmp" parameter before the value is used in an OS command. Without such neutralization, an authenticated attacker can inject arbitrary commands that run as root [CWE-78].
Preconditions
- authAttacker must have valid credentials to log in to the device's web interface
- networkAttacker must be able to send HTTP POST requests to the device on the network
- inputThe vulnerable parameter openvpnServer0_tmp is accepted without sanitization
Reproduction
Send the following HTTP POST request to the target device (replace the Host IP as needed):
``` POST /goform/net_Web_get_value?SRV=SRV_OPENVPN_SERVER_USER HTTP/1.1 Host: 192.168.127.254 Cookie: NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0 Content-Type: application/x-www-form-urlencoded Content-Length: 199
openvpnServer0_tmp=AAAA%2Bvvvvv%2B%60sleep%2B10%60%2B%60sleep%2B10%60%2B&ovpnServerId=1&username0=AAAA&password0=vvvvv&password_c=vvvvv&remoteNetwork0=%60sleep%2B10%60&remoteNetmask0=%60sleep%2B10%60 ```
The backtick-encased `sleep 10` commands will execute with root privileges, confirming command injection [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0482mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.