CVE-2018-10701
Description
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in Moxa AWK-3121 script execution allows unauthenticated remote code execution via crafted POST parameter.
Vulnerability
The vulnerability exists in the script execution functionality of Moxa AWK-3121 devices running firmware version 1.14. The POST parameter iw_filename is susceptible to a buffer overflow. By sending a packet with a string of 162 characters in this parameter, an attacker can trigger the overflow. The affected code path is available to any user who can reach the device's web interface, as no authentication is required for this functionality.
Exploitation
An attacker with network access to the device can exploit this vulnerability by crafting a POST request to the vulnerable endpoint with the iw_filename parameter set to a 162-character string. The exact steps are detailed in the referenced proof-of-concept code [1]. No prior authentication or user interaction is needed.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the device with the privileges of the web server (likely root). This leads to full compromise of the device, including potential data exfiltration, device misconfiguration, or use as a pivot point in the network.
Mitigation
As of the publication date (2019-06-07), no official patch was available from Moxa. Users should restrict network access to the device's web interface to trusted administrators only. If a newer firmware version is later released, it should be applied. The device may be end-of-life, so replacement may be necessary.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Moxa/AWK-3121description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153223/Moxa-AWK-3121-1.14-Information-Disclosure-Command-Execution.htmlmitrex_refsource_MISC
- github.com/samuelhuntley/Moxa_AWK_1121/blob/master/Moxa_AWK_1121mitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.