Talos Vulnerability Report


Moxa EDR-810 Web Server Cross-Site Request Forgery Vulnerability

April 13, 2018
CVE Number



An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs


CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H


CWE-352 - Cross-Site Request Forgery (CSRF)


In order to trigger the CSRF a logged in user needs to visit a page with malicious code on it. The malicious code will be able to do anything the logged in user can do. For example the malicious code could add a user, modify firewall rules, etc. This could also be chained with a command injection to get a root shell on the device. This problem is compounded by the fact that users cannot log out of the device, meaning that a user’s session will remain valid long after they’ve stopped interacting with the device.

Exploit Proof-of-Concept

    <form action="" method="POST">
      <input type="hidden" name="pingTmp" value="" />
      <input type="hidden" name="ifs" value="1" />
      <input type="hidden" name="ip" value="" />
      <input type="submit" value="Submit request" />


2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release


Discovered by Carlos Pacho of Cisco Talos.