Severity by source
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Physical access with chassis opening and SPI probing equipment justifies AV:P and AC:H; no auth or UI needed once physical, and full LUKS compromise yields C/I/A:H.
Primary rating from Vendor (Moxa).
CVSS VectorVendor: Moxa
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection. An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems.
AnalysisAI
Disk encryption bypass in Moxa UC-1200A series industrial computers allows an attacker with invasive physical access to recover the LUKS disk encryption key by sniffing the SPI bus between the CPU and TPM2 chip. The flaw is an incomplete fix for CVE-2026-0714 - Moxa added TPM2 parameter encryption but misconfigured the authorization session so the encryption provides no real protection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires invasive physical access to the UC-1200A device: the attacker must open the chassis and physically attach SPI bus probing equipment (logic analyzer or sniffer) between the SoC and the discrete TPM2 chip, then trigger a boot/unseal cycle to capture the LUKS key in transit. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate and highly bounded. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker gains brief unattended physical access to a deployed UC-1200A - for example a controller in a remote substation cabinet or a stolen unit - opens the chassis, clips a logic analyzer or SPI sniffer onto the bus between the SoC and the TPM2 chip, and power-cycles the device. During the boot-time unseal operation the LUKS key traverses the SPI bus and, because parameter encryption is misconfigured, is captured in plaintext; the attacker then images the storage and unlocks the encrypted volume offline at leisure. … |
| Remediation | Patch available per vendor advisory - apply the firmware update referenced in Moxa advisory MPSA-266240 at https://www.moxa.com/en/support/product-support/security-advisory/mpsa-266240-cve-2026-9266-missing-required-cryptographic-step-vulnerability-in-industrial-computers, which corrects the TPM2 authorization session configuration so parameter encryption actually protects the unsealed LUKS key on the SPI bus; the input data does not name an exact fixed firmware version, so confirm the target build with Moxa support before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Moxa UC-1200A deployments and categorize by data sensitivity and physical location access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-325 – Missing Cryptographic Step
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36411
GHSA-2j43-x625-hw9q