CVE-2018-10698

Vulnerability

Moxa AWK-3121 devices running firmware version 1.14 have an unencrypted TELNET service enabled by default [1]. This service is active immediately after the device is powered on without requiring any additional configuration. The default credentials are set to known values that remain active unless explicitly changed by the user [1].

Exploitation

An attacker who is able to achieve a man-in-the-middle (MITM) position on the network segment where the device resides can passively sniff all TELNET traffic, including authentication credentials and commands [1]. Additionally, if the default credentials have not been changed, the attacker can directly connect to the TELNET daemon without any prior access, simply by authenticating with those known credentials [1]. No user interaction or race condition is required.

Impact

Successful exploitation allows the attacker to obtain full administrative control over the device. This leads to complete compromise of confidentiality, integrity, and availability (CIA) of the device's operations, including the ability to read and modify device configuration, intercept network communications, and potentially pivot to other devices on the network [1].

Mitigation

Moxa has not released a firmware update to address this issue as of the publication date [1]. The primary mitigation is to change the default credentials immediately upon device deployment and to disable TELNET in favor of a secure protocol such as SSH, if supported. Network segmentation and strict access control lists can reduce the attack surface. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.