Moxa Clears SQL Injection Hole

Tuesday, August 2, 2016 @ 04:08 PM gHale


Moxa produced an update to mitigate a SQL injection vulnerability in its SoftCMS, according to a report with ICS-CERT.

SoftCMS versions prior to Version 1.5 suffer from the remotely exploitable vulnerability, discovered by Zhou Yu of Acorn Network Security who reported it to the Zero Day Initiative who reported it to ICS-CERT.

RELATED STORIES
Siemens SINEMA Server Hole
Rockwell Clears FactoryTalk Vulnerabilities
Siemens Fixes SINEMA XSS Hole
NET PC-Software DoS Hole Fixed

A successful exploit of this vulnerability could allow an attacker to execute arbitrary commands on the target system.

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.

The affected product, SoftCMS, is a central management software that manages large scale surveillance systems. SoftCMS sees action across several sectors including commercial facilities, critical manufacturing, energy, and transportation systems. Moxa estimates that these products see use used primarily in the United States and Europe with a small percentage in Asia.

SoftCMS does not properly sanitize input fields, allowing an attacker to access the product by specially crafting the input.

CVE-2016-5792 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

Moxa’s suggested mitigation is to update the application (SoftCMS v1.5), which is available for download from Moxa’s web site.