In the case of Moxa’s MXView five Critical flaws were recently disclosed that could allow an attacker to execute arbitrary code on systems that have not been updated. The five flaws cover a few items inside the software, but when strung together allow for a remote attacker to leverage a core communication function to gain access. Two of the vulnerabilities that were disclosed related to password usage and leakage. CVE-2021-38456 covers the use of hardcoded passwords inside the software, while CVE-2021-38460 covers potential leakage of these and other passwords. The three others comprise a path traversal vulnerability (allowing access to the hardcoded passwords), improper controls to prevent unauthorized commands (the arbitrary code bit) and allowing for remote access to the MQTT which is the main communication service for the software.
This is like a perfect storm of vulnerabilities that would allow an attacker full control over a targeted system. The flaws were found and disclosed to Moxa in October 2021. They are present in MXView 3.x up to and including 3.2.2. Version 3.2.4, which was released in July of 2021 does not appear to be affected. Moxa recently released version 3.2.6 of MXView on January 7th of this year. It is recommended that organizations using MXView update to a non-affected version as soon as possible.
We cannot stress this enough; remote management and monitoring software is a fantastic option to help assist with maintaining and controlling an environment. However, by its nature it can quickly become a target and a nightmare if not built with proper controls or it is left to run on older versions that have flaws in them. Developers and vendors of these types of software as well as groups that use them, must make sure they are keeping them up-to-date and monitoring them. They should, always, be treated as a threat and risk simply because of how much damage they can do if abused or compromised.