- Fotolia

How can a Moxa MXview vulnerability be exploited by hackers?

A vulnerability was found in Moxa MXview -- a software used to visualize network devices and physical connections. Learn how this vulnerability can enable privilege escalation.

Moxa Inc.'s MXview is often used by enterprises to visualize network devices and physical connections automatically. A vulnerability was recently found in some MXview versions that could enable privilege escalation. What is this vulnerability, and how can Moxa MXview be abused?

The unquoted service path vulnerability was found in MXview 2.8 and earlier versions, and it enables a local user to escalate privileges by inserting arbitrary code in a service path that is not enclosed with quotes. The unquoted service path may contain spaces -- for instance, D:\2012455 4562 56. To execute the arbitrary code, the service must be enabled before it can be restarted.

Moxa MXview can be abused in several different ways, including:

  • The user could configure, monitor and diagnose new network devices in the enterprise's industrial devices and Simple Network Management Protocol/IP devices installed on subnets. These devices include industrial wireless devices, industrial secure routers, industrial Ethernet gateways and Ethernet remote I/Os.
  • The user could manually look through the services via the command window to find other paths that are unquoted. This could alter the service path, appearance of the dashboard, file names, data in files, the placement of files into a subdirector, and some menu items could even be added or deleted.
  • The backup of the MXview database could be rescheduled and possibly rerouted to the user's server, where the user could then alter the files in the database before sending them back to the MXview server. The database includes topology, job scheduling, events and device properties.
  • The configuration of event notification alarms that are sent through text messages and emails could be maliciously modified. The user could alter links, delete a device and add a third-party icon without permission from the legitimate system administrator.
  • Support for the MXview ToGo mobile app for remote monitoring and notification could be disabled or maliciously altered. As a result, the mobile user would not be properly notified of an event in MXview.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing