HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9266Published Modified CNA Moxa

CVE-2026-9266: A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers

A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection. An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems.

Metrics

CVSS v4.0
7.0
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A missing required cryptographic step vulnerability exists in Moxa's embedded Linux firmware for the UC-1200A Series industrial computers and controllers. The firmware attempted to remediate a prior vulnerability (CVE-2026-0714) by introducing TPM2 parameter encryption, but a misconfiguration in the authorization session renders that protection ineffective, allowing an attacker with invasive physical access to capture TPM communications over the SPI bus and recover the LUKS disk encryption key in plaintext. Successful exploitation results in full compromise of the encrypted disk volume. No fix version has been published; HarborGuard tracks this advisory and will make a patched rebuild available as soon as Moxa releases a corrected firmware.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-9266 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images derived from affected Moxa firmware. Any image pinned to UC-1200A Series firmware at version 1.4 or earlier is flagged automatically on scan.

Available
Triage

HarborGuard scores this CVE at 7.0 HIGH using the published CVSS v4.0 vector and weights findings against each customer's per-environment compliance policy, routing alerts to the appropriate team inbox based on configured ownership rules for embedded or industrial workloads.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the Moxa advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream firmware correction is released. In the meantime, customers can use HarborGuard's policy controls to flag affected images and apply compensating-control annotations directly in the triage workflow.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    Physical proximity is required; the attacker must open the device and attach external equipment to the SPI bus, and remote exploitation is not possible.

  • AuthenticationNot required

    No account credentials or software-level authentication are required; the attack is conducted at the hardware bus level before any OS authentication layer is reached.

  • Victim interactionNot required

    No user action is needed; once the attacker has physical access to the opened device, the capture and key derivation proceed without any interaction from a legitimate user.

  • Attack complexityDetail

    The exploit is condition-free once physical access is established, with no race conditions or unpredictable environmental factors required to capture and decode the TPM SPI traffic.

Blast Radius

  • Reads the LUKS disk encryption key in plaintext, decrypting the full contents of the protected disk volume.
  • Accesses all data stored on the device, including configuration files, credentials, and operational logs.
  • Modifies firmware or persisted data on the disk, enabling persistent tampering with the industrial controller.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-9266 is actively monitored against customer images running UC-1200A Series firmware at version 1.4 or earlier. Because Moxa has not yet published a fix, HarborGuard re-evaluates the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a corrected firmware version is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While awaiting an upstream patch, compensating controls available through HarborGuard's policy engine include flagging affected images as non-compliant for production deployment, applying network-policy isolation annotations to workloads that incorporate this firmware, and configuring alert routing to ensure industrial or embedded platform owners are notified directly. Because exploitation requires invasive physical access to the hardware, software-layer mitigations are limited, and physical security controls at the deployment site remain the primary compensating measure until Moxa ships a remediated firmware release.

See how HarborGuard automates this
Affected packages
  • Moxa / UC-1200A Series
    ≤ 1.4
CVSS Vector
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References