Moxa OnCell G3100-HSPA Series Firmware version 1.4 Build 16062919 and prior
- Impact: Attacker can bruteforce authentication parameters
- Access Vector: Remote
- CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Overall CVSS Score: 9.8
- CVE ID: CVE-2018-11426
- CWE ID: 287
Moxa OnCell G3100-HSPA Series devices are industrial five-band HSPA high speed IP gateways with VPN functionality
A weak Cookie parameter is used in the web application of OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. An attacker can brute force parameters required to bypass authentication and access the web interface to use all its functions except of the password change.
Apply firmware patch from vendor.
Vulnerability was discovered by Eugenie Potseluevskaya (Kaspersky Lab).