{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tn-4900-series/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-3867"},{"id":"CVE-2026-3868"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TN-4900 Series","EDR-8010 Series","EDR-G9010 Series","OnCell G4302-LTE4 Series","OnCell G4308-LTE4 Series","EDF-G1002-BP Series"],"_cs_severities":["high"],"_cs_tags":["vulnerability","router","industrial-control-systems"],"_cs_type":"advisory","_cs_vendors":["Moxa"],"content_html":"\u003cp\u003eOn April 27, 2026, Moxa published a security advisory (MPSA-261521) to address vulnerabilities, specifically CVE-2026-3867 and CVE-2026-3868, affecting several of their industrial router products. These vulnerabilities reside in the firmware of TN-4900 Series (firmware version v3.22 and prior), EDR-8010 Series (firmware version v3.23 and prior), EDR-G9010 Series (firmware version v3.23.1 and prior), OnCell G4302-LTE4 Series (firmware version v3.23.0 and prior), OnCell G4308-LTE4 Series (firmware version v3.23.0 and prior), and EDF-G1002-BP Series (firmware version v3.23 and prior). Successful exploitation could allow attackers to gain unauthorized access or control over affected devices, potentially disrupting industrial processes and critical infrastructure. Defenders should promptly apply the recommended updates to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Moxa router, such as a TN-4900 series running firmware v3.22 or prior.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2026-3867 (Improper Ownership Management) to manipulate file permissions on the device.\u003c/li\u003e\n\u003cli\u003eExploiting the improper file ownership, the attacker overwrites critical system files with malicious versions.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits CVE-2026-3868 (Improper Handling of Length Parameter Inconsistency) to trigger a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow allows the attacker to inject arbitrary code into the running system process.\u003c/li\u003e\n\u003cli\u003eThe injected code provides the attacker with a reverse shell to the device with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the reverse shell to gain full control over the router, modifying configurations and potentially disrupting network operations.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker pivots to other devices on the network, using the compromised router as a launchpad for further attacks within the industrial control system (ICS) network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could allow unauthorized access and control of the affected Moxa routers. In industrial environments, this can lead to disruption of critical services, manipulation of industrial processes, and potential physical damage to equipment. Given the widespread use of Moxa devices in various sectors, including manufacturing, transportation, and energy, a successful attack could have significant consequences. The impact would vary depending on the specific industrial process controlled by the affected router, but could potentially affect dozens of organizations and even critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all affected Moxa devices (TN-4900, EDR-8010, EDR-G9010, OnCell G4302-LTE4, OnCell G4308-LTE4, and EDF-G1002-BP Series) to the latest firmware versions as recommended in the Moxa security advisory.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns or connections originating from Moxa routers, indicative of potential exploitation, by deploying the \u0026ldquo;Detect Suspicious Outbound Connection from Moxa Router\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit access to Moxa devices and segment the network to prevent lateral movement in case of a compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T14:42:57Z","date_published":"2026-04-27T14:42:57Z","id":"/briefs/2026-04-moxa-router-vulns/","summary":"Moxa released a security advisory addressing CVE-2026-3867 and CVE-2026-3868, which affect TN-4900, EDR-8010, EDR-G9010, OnCell G4302-LTE4, OnCell G4308-LTE4, and EDF-G1002-BP series routers, potentially allowing for unauthorized access and control.","title":"Moxa Security Advisory Addresses Vulnerabilities in Multiple Router Series","url":"https://feed.craftedsignal.io/briefs/2026-04-moxa-router-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — TN-4900 Series","version":"https://jsonfeed.org/version/1.1"}