CVE-2026-9266
Awaiting Analysis Awaiting Analysis - Queue
Missing Cryptographic Step in Moxa Embedded Linux Firmware

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: Moxa Inc.

Description
A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection.Β An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-9266
EUVD
EUVD-2026-36411
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
moxa uc-1200a *
moxa uc-2200a *
moxa uc-3400a *
moxa uc-4400a *
moxa uc-8200 *
moxa v1200 *
moxa v2406c *
moxa v3200 *
moxa v3400 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-325 The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9266 is a Missing Required Cryptographic Step vulnerability in Moxa's embedded Linux firmware for industrial computers and controllers. It is an incomplete fix of a previous vulnerability (CVE-2026-0714) where TPM2 parameter encryption was introduced but improperly configured, making the encryption ineffective. An attacker with invasive physical access to the device can intercept TPM communications on the SPI bus and extract the LUKS disk encryption key in plaintext, leading to full compromise of the encrypted disk volume.

The attack requires physical access to the device, including opening it and attaching external equipment to the SPI bus. Remote exploitation is not possible.

Impact Analysis

If exploited, this vulnerability allows an attacker with physical access to fully compromise the encrypted disk volume by extracting the disk encryption key in plaintext. This means sensitive data stored on the device could be accessed and potentially stolen or manipulated.

However, exploitation requires invasive physical access, such as opening the device and connecting to the SPI bus, so remote attacks are not possible.

To mitigate the risk, physical access to devices should be restricted, and security best practices like network segmentation, strong authentication, and regular firmware updates should be implemented.

Detection Guidance

This vulnerability requires invasive physical access to the device and involves capturing TPM communications on the SPI bus. It cannot be detected through network commands or remote system scans.

No specific detection commands or network-based detection methods are provided in the available information.

Mitigation Strategies

Immediate mitigation steps include applying the updated firmware images released by Moxa that address this vulnerability.

  • Restrict physical access to the affected devices to prevent invasive attacks.
  • Implement general security best practices such as network segmentation and strong authentication.
  • Regularly update device firmware to ensure all security patches are applied.
Compliance Impact

This vulnerability allows an attacker with invasive physical access to extract the LUKS disk encryption key in plaintext, leading to full compromise of the encrypted disk volume.

Such a compromise of encrypted data could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data through effective encryption and access controls.

However, exploitation requires physical access and invasive actions, and remote exploitation is not possible.

Mitigation includes restricting physical access and applying firmware updates, which are important for maintaining compliance with security best practices mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart