← Back to all briefings

Infrastructure · Credibility 40/100 · · 5 min read

Infrastructure Briefing — Moxa EDR-G902/G903 router buffer overflow exposure

CISA’s ICSA-20-196-02 advisory flags a critical stack-based buffer overflow in Moxa EDR-G902 and EDR-G903 routers (firmware 5.4 and prior) that can crash industrial firewalls or permit remote code execution until patched.

Executive briefing: CISA reports that Moxa EDR-G902 and EDR-G903 industrial routers running firmware 5.4 or earlier contain a stack-based buffer overflow that can crash the device and open a path for remote code execution against gateway firewalls.

Immediate actions for ICS network owners

  • Apply the vendor firmware patch. Follow Moxa’s advisory to install the fixed build on all EDR-G902/G903 units and confirm signatures before deployment.
  • Restrict exposure. Ensure management interfaces stay off the public internet, place routers behind dedicated firewalls, and limit access to trusted subnets.
  • Hunt for crash indicators. Review router logs and monitoring systems for unexplained reboots or service failures that could indicate exploit attempts.

Strategic follow-through

  • Segment high-value networks. Keep EDR units isolating OT segments from IT and block unnecessary inbound services to reduce exploit surface.
  • Update VPN gateways. CISA cautions that VPNs themselves carry vulnerabilities; patch concentrators and enforce MFA before restoring remote access.
  • Baseline configuration. Export known-good configurations after patching so tampered firmware or configs can be quickly rolled back.

Source excerpts

Primary — exploit impact: “Successful exploitation of this vulnerability could crash the device being accessed; a buffer overflow condition may allow remote code execution.”

CISA ICSA-20-196-02 (Moxa EDR-G902/G903)

Primary — affected versions: “EDR-G902 Series: firmware versions 5.4 and prior… EDR-G903 Series: firmware versions 5.4 and prior.”

CISA ICSA-20-196-02 (Moxa EDR-G902/G903)

Primary — vendor mitigation: “Install firmware patch. Patches may be downloaded from Moxa’s security advisory page.”

CISA ICSA-20-196-02 (Moxa EDR-G902/G903)

Primary — network exposure guidance: “Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.”

CISA ICSA-20-196-02 (Moxa EDR-G902/G903)
  • Moxa EDR-G902
  • Moxa EDR-G903
  • buffer overflow
Back to curated briefings