Skip to main content

Moxa Secure Router CVE-2026-3868

| EUVDEUVD-2026-25757 HIGH
Improper Handling of Length Parameter Inconsistency (CWE-130)
2026-04-27 psirt@moxa.com
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 04:30 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 04:22 euvd
EUVD-2026-25757
Analysis Generated
Apr 27, 2026 - 04:22 vuln.today
CVE Published
Apr 27, 2026 - 04:16 nvd
HIGH 8.7

DescriptionCVE.org

An improper handling of the length parameter inconsistency vulnerability has been identified in Moxa’s Secure Router. Because of improper validation of length parameters in the HTTPS management interface, an unauthenticated remote attacker could send specially crafted requests that trigger a buffer overflow condition, causing the web service to become unresponsive. Successful exploitation may result in a denial-of-service condition requiring a device reboot to restore normal operation. While successful exploitation can severely impact the availability of the affected device, no impact to the confidentiality or integrity of the affected product has been identified. Additionally, no confidentiality, integrity, or availability impact to the subsequent system has been identified.

AnalysisAI

Buffer overflow in Moxa Secure Router's HTTPS management interface allows unauthenticated remote attackers to crash the web service via specially crafted requests with malformed length parameters. Exploitation causes denial-of-service requiring device reboot, with no confidentiality or integrity impact. CVSS 8.7 reflects high availability impact to the vulnerable component only. No public exploit code identified at time of analysis, and no evidence of active exploitation (not in CISA KEV).

Technical ContextAI

This vulnerability stems from CWE-130 (Improper Handling of Length Parameter Inconsistency), where the HTTPS management interface fails to properly validate length parameters in incoming requests. When length values are inconsistent or malformed, the parser allocates insufficient buffer space or incorrectly processes data boundaries, triggering a buffer overflow. The CVSS 4.0 vector specifies VA:H (high availability impact to vulnerable component) with SC:N/SI:N/SA:N (no subsequent system impact), indicating the overflow is contained to the web service process and does not cascade to routing functions or connected networks. The vulnerability resides in the web management stack rather than the core routing firmware, limiting blast radius to administrative access functionality.

RemediationAI

Apply the firmware update specified in Moxa security advisory MPSA-261521 available at https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-improper-handling-of-length-parameter-incons. Until patching is completed, restrict HTTPS management interface access to trusted administrative networks only using firewall rules or router ACLs - block TCP port 443 management access from untrusted networks while permitting only from known admin IP ranges. Disabling HTTPS management entirely eliminates attack surface but prevents remote administration, requiring console/SSH access for configuration changes with associated operational overhead. For devices in remote locations, deploy VPN-based management access rather than direct internet exposure, adding authentication and encryption layers before reaching the vulnerable interface. Organizations using centralized management systems should verify those platforms connect via dedicated admin VLANs rather than production networks. Note that blocking management access does not affect routing/firewall functionality but does require alternative administrative channels.

Share

CVE-2026-3868 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy