CVE-2026-0715
Bootloader Access Vulnerability in Moxa Industrial Linux Devices
Publication date: 2026-02-05
Last updated on: 2026-02-18
Assigner: Moxa Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moxa | uc-1222a_firmware | to 1.4 (inc) |
| moxa | uc-2222a-t-us_firmware | to 1.4 (inc) |
| moxa | uc-2222a-t_firmware | to 1.4 (inc) |
| moxa | uc-2222a-t-ap_firmware | to 1.4 (inc) |
| moxa | uc-2222a-t-eu_firmware | to 1.4 (inc) |
| moxa | uc-3434a-t-lte-wifi_firmware | to 1.2 (inc) |
| moxa | uc-3424a-t-lte_firmware | to 1.2 (inc) |
| moxa | uc-3420a-t-lte_firmware | to 1.2 (inc) |
| moxa | uc-3430a-t-lte-wifi_firmware | to 1.2 (inc) |
| moxa | uc-4450a-t-5g_firmware | to 1.3 (inc) |
| moxa | uc-4434a-i-t_firmware | to 1.3 (inc) |
| moxa | uc-4410a-t_firmware | to 1.3 (inc) |
| moxa | uc-4454a-t-5g_firmware | to 1.3 (inc) |
| moxa | uc-4414a-i-t_firmware | to 1.3 (inc) |
| moxa | uc-4430a-t_firmware | to 1.3 (inc) |
| moxa | uc-8210-t-lx-s_firmware | to 1.5 (inc) |
| moxa | uc-8220-t-lx-eu-s_firmware | to 1.5 (inc) |
| moxa | uc-8220-t-lx-ap-s_firmware | to 1.5 (inc) |
| moxa | uc-8220-t-lx-us-s_firmware | to 1.5 (inc) |
| moxa | uc-8220-t-lx_firmware | to 1.5 (inc) |
| moxa | v1202-ct-t_firmware | to 1.2.0 (inc) |
| moxa | v1222-ct-t_firmware | to 1.2.0 (inc) |
| moxa | v1222-w-ct-t_firmware | to 1.2.0 (inc) |
| moxa | v2406c-kl7-ct-t_firmware | to 1.2 (inc) |
| moxa | v2406c-kl7-t_firmware | to 1.2 (inc) |
| moxa | v2406c-wl7-ct-t_firmware | to 1.2 (inc) |
| moxa | v2406c-wl5-t_firmware | to 1.2 (inc) |
| moxa | v2406c-kl1-ct-t_firmware | to 1.2 (inc) |
| moxa | v2406c-wl3-t_firmware | to 1.2 (inc) |
| moxa | v2406c-wl1-ct-t_firmware | to 1.2 (inc) |
| moxa | v2406c-kl3-t_firmware | to 1.2 (inc) |
| moxa | v2406c-wl1-t_firmware | to 1.2 (inc) |
| moxa | v2406c-kl1-t_firmware | to 1.2 (inc) |
| moxa | v2406c-wl7-t_firmware | to 1.2 (inc) |
| moxa | v2406c-kl5-t_firmware | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Moxa Arm-based industrial computers running Moxa Industrial Linux Secure. These devices use a device-unique bootloader password that is printed on the device. An attacker with physical access to the device can use this password to access the bootloader menu via a serial interface.
However, accessing the bootloader menu does not allow the attacker to take full control of the system or escalate privileges because the bootloader enforces digital signature verification and only permits flashing of Moxa-signed images. Therefore, the attacker cannot install malicious firmware or execute arbitrary code.
The main impact of this vulnerability is a potential temporary denial-of-service condition if a valid image is reflashed. Remote exploitation is not possible.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a potential temporary denial-of-service condition. An attacker with physical access could reflash a valid image via the bootloader menu, temporarily disrupting device operation.
Since the bootloader only allows flashing of Moxa-signed images and enforces digital signature verification, the attacker cannot install malicious firmware or execute arbitrary code, so full system takeover or privilege escalation is not possible.
Remote exploitation is not possible, so the risk is limited to scenarios where an attacker has physical access to the device.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves physical access to the device's bootloader via a serial interface using a device-unique bootloader password printed on the device. Detection primarily involves verifying if unauthorized physical access to the device or serial interface has occurred."}, {'type': 'paragraph', 'content': 'Since the vulnerability does not allow remote exploitation and relates to physical access, network-based detection is limited. However, general security recommendations include implementing anomaly detection and maintaining logging and monitoring to identify unusual access patterns.'}, {'type': 'paragraph', 'content': 'No specific commands for detecting this vulnerability on the system or network are provided in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include changing the bootloader default password as detailed in the Moxa Industrial Linux 3.x (Debian 11) Arm-based Computers Manual (Security Hardening Guide).
Operate devices in controlled physical access environments to prevent unauthorized physical access.
Apply the security patches released by Moxa, which involve updating the system kernel to version 5.10.234-cip57-rt25-moxa9-1+deb11u2 using apt commands followed by a system reboot.
- Change the bootloader default password.
- Restrict physical access to devices.
- Update the system with the provided security patches via apt and reboot.
- Restrict network access and minimize exposure.
- Enhance authentication and access control.
- Regularly update firmware and secure remote access.
- Implement anomaly detection and maintain logging and monitoring.