OpenSSH Vulnerability Allows Remote Code Execution on Unpatched Moxa Ethernet Switches

What happened

A critical OpenSSH vulnerability exposes Moxa ethernet switches to remote code execution. The issue arises from CVE-2023-38408, a flaw in the OpenSSH PKCS#11 search path mechanism affecting multiple Moxa switch models. This unquoted search path vulnerability (CVSS 9.8) allows unauthenticated remote attackers to execute arbitrary code on affected devices without user interaction. Vulnerable products include models in the EDS and RKS series running older firmware versions. The flaw is a consequence of an incomplete fix for a prior OpenSSH issue (CVE-2016-10009). Moxa has issued advisories and recommends firmware updates to secure versions. 

Who is affected

Organizations deploying Moxa Ethernet switches in operational or industrial environments are directly exposed to remote code execution if devices run unpatched firmware and are reachable over IP networks. 

Why CISOs should care

The vulnerability undermines core infrastructure components, enabling potential compromise of operational and network devices that support critical communications. Exploitation could lead to breaches of confidentiality, integrity, and availability in industrial and enterprise networks. 

3 practical actions

• Apply firmware patches: Upgrade all affected switch firmware to versions recommended by the vendor.
• Segment and restrict network access: Limit management access to trusted networks and implement ACLs or VLAN separation.
• Monitor for anomalous activity: Increase detection coverage for unusual SSH connections or unexpected remote command execution attempts.