CVE-2017-14434
Description
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the remoteNetmask0= parameter in the "/goform/net\_Web\_get_value" uri to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An OS command injection vulnerability in Moxa EDR-810 allows authenticated attackers to execute arbitrary commands as root via a crafted POST to /goform/net_Web_get_value.
Vulnerability
An OS command injection vulnerability exists in the remoteNetmask0 parameter of the /goform/net_Web_get_value URI on Moxa EDR-810 V4.1 build 17030317. The web server runs as root, allowing commands to execute with root privileges [1].
Exploitation
An attacker must be authenticated to the web interface. They can inject OS commands into the remoteNetmask0 parameter via a POST request to /goform/net_Web_get_value. A proof-of-concept request is provided in the reference [1].
Impact
Successful exploitation allows arbitrary command execution as root, leading to full compromise of the device, including disclosure of sensitive information, modification of configuration, and denial of service.
Mitigation
No fix is mentioned in the reference. Users should restrict network access to the web interface and ensure strong authentication. Check Moxa's support site for firmware updates.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Talos/Moxav5Range: Moxa EDR-810 V4.1 build 17030317
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of special elements used in an OS command ('OS Command Injection') in the remoteNetmask0 parameter of the /goform/net_Web_get_value endpoint."
Attack vector
An attacker must first authenticate to the device's web interface [ref_id=1]. Once logged in, they send a crafted HTTP POST to "/goform/net_Web_get_value?SRV=SRV_OPENVPN_SERVER_USER" with the `remoteNetmask0=` parameter containing injected OS commands wrapped in backticks (e.g., `` `sleep+10` ``) [ref_id=1]. The web server does not sanitize this parameter before passing it to an OS command, resulting in command injection [CWE-78]. Because the web server runs as root, the injected commands execute with full root privileges, leading to privilege escalation to a root shell [ref_id=1].
Affected code
The vulnerability resides in the web server functionality handling POST requests to the URI "/goform/net_Web_get_value". The specific vulnerable parameter is `remoteNetmask0=` [ref_id=1]. The web server runs as root, so any injected commands execute with root privileges [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the vendor released patched firmware on 2018-04-12 [ref_id=1]. The fix would require proper neutralization of special elements (such as backticks, semicolons, or pipe characters) in the `remoteNetmask0=` parameter before the input is used in an OS command. Without sanitization, an attacker can break out of the intended parameter value and execute arbitrary shell commands.
Preconditions
- authAttacker must have valid credentials to log into the device's web interface
- networkAttacker must be able to send HTTP POST requests to the device on the network
- inputThe vulnerable parameter remoteNetmask0= is not sanitized before being used in an OS command
Reproduction
Send the following HTTP POST request to the target device (replace the Host IP and cookie values as appropriate):
``` POST /goform/net_Web_get_value?SRV=SRV_OPENVPN_SERVER_USER HTTP/1.1 Host: 192.168.127.254 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://192.168.127.254/openvpn_user.asp Cookie: NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 199
openvpnServer0_tmp=AAAA%2Bvvvvv%2B%60sleep%2B10%60%2B%60sleep%2B10%60%2B&ovpnServerId=1&username0=AAAA&password0=vvvvv&password_c=vvvvv&remoteNetwork0=%60sleep%2B10%60&remoteNetmask0=%60sleep%2B10%60 ```
The backtick-enclosed commands in `remoteNetmask0` (and `remoteNetwork0`) will be executed by the shell [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0482mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.