Moxa OnCell Central Manager 'MessageBrokerServlet' Servlet Authentication Bypass Vulnerabilities
14 Mar. 2016
Summary
The MessageBrokerServlet servlet in Moxa OnCell Central Manager before 2.2 does not require authentication, which allows remote attackers to obtain administrative access via a command, as demonstrated by the addUserAndGroup action.
Credit:
The information has been provided by Andrea Micalizzi (rgod).
Vulnerable Systems:
*Moxa OnCell Central Manager before 2.2
Immune Systems:
Moxa OnCell Central Manager after 2.2
Moxa OnCell Central Manager is prone to a remote authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks.