CVE-2026-9266

Vulnerability

A missing required cryptographic step (CWE-325) exists in Moxa's embedded Linux firmware for industrial computers and controllers [1]. This vulnerability is an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure, but an omission in the authorization session configuration renders the encryption ineffective [1]. Affected firmware versions are those prior to the fix released on June 12, 2026, as detailed in Moxa security advisory MPSA-266240 [1].

Exploitation

Exploitation requires invasive physical access to the device [1]. An attacker must open the device and attach external probing equipment to the SPI bus to capture TPM communications [1]. From the captured data, the attacker can derive the LUKS disk encryption key in plaintext [1]. Remote exploitation is not possible, and no user interaction or authentication is needed beyond physical access [1].

Impact

Successful exploitation results in full compromise of the encrypted disk volume [1]. The attacker obtains the LUKS disk encryption key, allowing decryption of all data on the volume [1]. The attack does not affect any downstream systems [1].

Mitigation

Moxa has released firmware updates to address this vulnerability [1]. Users are strongly advised to apply the latest firmware immediately, as per security advisory MPSA-266240 [1]. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.