Description
A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection. An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems.
Published: 2026-06-12
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing cryptographic step in Moxa's embedded Linux firmware allows an attacker with invasive physical access to capture TPM communications on the SPI bus and recover the LUKS disk encryption key in plaintext. This flaw effectively disables the intended protection from prior CVE-2026-0714 mitigations, resulting in full compromise of the encrypted disk volume. The vulnerability is a CWE‑325 weakness in the authorization session configuration that omits required encryption.

Affected Systems

Manufacturers using Moxa UC‑1200A Series industrial computers and controllers are affected. The vulnerability applies to all firmware revisions of the UC‑1200A Series that include the incomplete TPM2 parameter encryption implementation. No specific firmware version is listed, but all devices that ship with the referenced firmware configuration are impacted.

Risk and Exploitability

The severity score of 7 indicates a medium‑to‑high risk, and the attack requires invasive physical access such as opening the device and attaching equipment to the SPI bus. Remote exploitation is not feasible, and the flaw does not affect downstream systems. Because EPSS is not available and the flaw is not listed in CISA’s KEV catalog, the likelihood of widespread exploitation is uncertain, but the impact on affected devices is complete. Implementing the vendor’s fix and enforcing strict physical security are critical to mitigate this risk.

Generated by OpenCVE AI on June 12, 2026 at 12:51 UTC.

Remediation

Vendor Solution

Please refer to Moxa's security advisory.

OpenCVE Recommended Actions

  • Apply the firmware update or configuration change recommended in Moxa's security advisory (MPSA-266240) to eliminate the missing cryptographic step.
  • Implement physical security controls to prevent unauthorized physical access to devices, including tamper‑protection and lockout.
  • Enable or enforce TPM2 parameter encryption after deploying the fix, ensuring that the firmware correctly encrypts parameters to protect against future similar flaws.

Generated by OpenCVE AI on June 12, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Title Missing Cryptographic Step Enables Physical Capture of Disk Encryption Key

Fri, 12 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection. An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems.
First Time appeared Moxa
Moxa uc-1200a Series
Weaknesses CWE-325
CPEs cpe:2.3:a:moxa:uc-1200a_series:*:*:os_image_mil3_secure_version_:*:*:*:*:*
Vendors & Products Moxa
Moxa uc-1200a Series
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Moxa Uc-1200a Series
cve-icon MITRE

Status: PUBLISHED

Assigner: Moxa

Published:

Updated: 2026-06-12T13:29:34.626Z

Reserved: 2026-05-22T02:41:04.026Z

Link: CVE-2026-9266

cve-icon Vulnrichment

Updated: 2026-06-12T13:29:30.668Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T11:16:23.297

Modified: 2026-06-12T16:06:17.027

Link: CVE-2026-9266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T13:00:14Z

Weaknesses
  • CWE-325

    Missing Cryptographic Step