CVE-2026-0714
Unknown Unknown - Not Provided
Physical TPM SPI Bus Attack Enables Offline Disk Decryption on Moxa Industrial Linux

Publication date: 2026-02-05

Last updated on: 2026-02-18

Assigner: Moxa Inc.

Description
A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching external equipment to the SPI bus to capture TPM communications. If successful, the captured data may allow offline decryption of eMMC contents. This attack cannot be performed through brief or opportunistic physical access and requires extended physical access, possession of the device, appropriate equipment, and sufficient time for signal capture and analysis. Remote exploitation is not possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-18
Generated
2026-05-07
AI Q&A
2026-02-05
EPSS Evaluated
2026-05-05
NVD
CVE-2026-0714
EUVD
EUVD-2026-5533
Affected Vendors & Products
Showing 35 associated CPEs
Vendor Product Version / Range
moxa uc-1222a_firmware to 1.4 (inc)
moxa uc-2222a-t-us_firmware to 1.4 (inc)
moxa uc-2222a-t_firmware to 1.4 (inc)
moxa uc-2222a-t-ap_firmware to 1.4 (inc)
moxa uc-2222a-t-eu_firmware to 1.4 (inc)
moxa uc-3434a-t-lte-wifi_firmware to 1.2 (inc)
moxa uc-3424a-t-lte_firmware to 1.2 (inc)
moxa uc-3420a-t-lte_firmware to 1.2 (inc)
moxa uc-3430a-t-lte-wifi_firmware to 1.2 (inc)
moxa uc-4450a-t-5g_firmware to 1.3 (inc)
moxa uc-4434a-i-t_firmware to 1.3 (inc)
moxa uc-4410a-t_firmware to 1.3 (inc)
moxa uc-4454a-t-5g_firmware to 1.3 (inc)
moxa uc-4414a-i-t_firmware to 1.3 (inc)
moxa uc-4430a-t_firmware to 1.3 (inc)
moxa uc-8210-t-lx-s_firmware to 1.5 (inc)
moxa uc-8220-t-lx-eu-s_firmware to 1.5 (inc)
moxa uc-8220-t-lx-ap-s_firmware to 1.5 (inc)
moxa uc-8220-t-lx-us-s_firmware to 1.5 (inc)
moxa uc-8220-t-lx_firmware to 1.5 (inc)
moxa v1202-ct-t_firmware to 1.2.0 (inc)
moxa v1222-ct-t_firmware to 1.2.0 (inc)
moxa v1222-w-ct-t_firmware to 1.2.0 (inc)
moxa v2406c-kl7-ct-t_firmware to 1.2 (inc)
moxa v2406c-kl7-t_firmware to 1.2 (inc)
moxa v2406c-wl7-ct-t_firmware to 1.2 (inc)
moxa v2406c-wl5-t_firmware to 1.2 (inc)
moxa v2406c-kl1-ct-t_firmware to 1.2 (inc)
moxa v2406c-wl3-t_firmware to 1.2 (inc)
moxa v2406c-wl1-ct-t_firmware to 1.2 (inc)
moxa v2406c-kl3-t_firmware to 1.2 (inc)
moxa v2406c-wl1-t_firmware to 1.2 (inc)
moxa v2406c-kl1-t_firmware to 1.2 (inc)
moxa v2406c-wl7-t_firmware to 1.2 (inc)
moxa v2406c-kl5-t_firmware to 1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in certain Moxa industrial computers that use TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3. The discrete TPM is connected to the CPU via an SPI bus. An attacker with invasive physical access can open the device and attach external equipment to the SPI bus to capture TPM communications.

If the attacker successfully captures this data, they may be able to decrypt the eMMC storage contents offline. However, this attack requires extended physical access, possession of the device, appropriate equipment, and sufficient time for signal capture and analysis. It cannot be performed remotely or through brief physical access.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow an attacker to decrypt the contents of the device's eMMC storage offline, potentially exposing sensitive data stored on the device.

However, exploitation requires invasive and extended physical access to the device, specialized equipment, and time, making it a complex and targeted attack.

Remote exploitation is not possible, so the risk is limited to scenarios where an attacker can physically access and manipulate the device.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability requires invasive physical access to the device, including opening it and attaching external equipment to the SPI bus to capture TPM communications. Because exploitation involves physical hardware manipulation and signal capture, it cannot be detected through network or system commands.

Therefore, there are no specific commands or network-based detection methods available to identify this vulnerability on your system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, restrict physical access to the affected Moxa industrial computers to prevent invasive attacks.

  • Ensure devices are stored in secure locations with controlled access.
  • Use tamper-evident seals or enclosures to detect unauthorized physical access.
  • Monitor and audit physical access to devices regularly.

Since the attack requires extended physical access and specialized equipment, limiting physical access is the primary mitigation step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart