CVE-2026-3867Medium

An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low…

CVSS

6.0

Medium

EPSS

0.00

p14

Published

2026-01-01

Updated

2026-01-01

Description

An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition — when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified.

Tags · CWE

CWE-282

CAPEC-17

CAPEC-35

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

2026-01-01

Published

2026-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Attack Requirements

AT: P

Present

Privileges Required

PR: L

Low (L)

User Interaction

UI: N

None (N)

Vulnerable System Confidentiality

VC: H

High (H)

Vulnerable System Integrity

VI: N

None (N)

Vulnerable System Availability

VA: N

None (N)

Subsequent System Confidentiality

SC: N

None (N)

Subsequent System Integrity

SI: N

None (N)

Subsequent System Availability

SA: N

None (N)

Exploit Code Maturity

E: X

Not Defined

Confidentiality Requirement

CR: X

Not Defined

Integrity Requirement

IR: X

Not Defined

Availability Requirement

AR: X

Not Defined

Modified Attack Vector

MAV: X

Not Defined

Modified Attack Complexity

MAC: X

Not Defined

Modified Attack Requirements

MAT: X

Not Defined

Modified Privileges Required

MPR: X

Not Defined

Modified User Interaction

MUI: X

Not Defined

Modified Vulnerable System Confidentiality

MVC: X

Not Defined

Modified Vulnerable System Integrity

MVI: X

Not Defined

Modified Vulnerable System Availability

MVA: X

Not Defined

Modified Subsequent System Confidentiality

MSC: X

Not Defined

Modified Subsequent System Integrity

MSI: X

Not Defined

Modified Subsequent System Availability

MSA: X

Not Defined

S: X

AU: X

R: X

V: X

RE: X

U: X

Exploit indicators

EPSS

0.002 · p14

Known exploited (KEV)

MITRE ATT&CK

Inferred via CAPEC

T1027.006HTML Smuggling

└ via CAPEC-35 · CWE-282

T1027.009Embedded Payloads

└ via CAPEC-35 · CWE-282

T1564.009Resource Forking

└ via CAPEC-35 · CWE-282

T1574.005Executable Installer File Permissions Weakness

└ via CAPEC-17 · CWE-282

T1574.010Services File Permissions Weakness

└ via CAPEC-17 · CWE-282

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

No vulnerabilities match your filters.

External references

https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-improper-handling-of-length-parameter-incons