Decoding the world of cybersecurity

Moxa fix leaves encryption gap

Moxa has disclosed an incomplete remediation affecting industrial computers, where invasive physical access could still expose LUKS disk encryption keys.

Moxa fix leaves encryption gap
Summary
  • Moxa says CVE-2026-9266 is an incomplete remediation of an earlier TPM-backed LUKS issue.
  • Exploitation requires invasive physical access and cannot be performed remotely.
  • The advisory links field equipment security to physical protection, firmware assurance, and update discipline.

Moxa has disclosed a high-severity vulnerability in embedded Linux firmware for industrial computers and controllers, after identifying that a previous fix failed to provide effective protection for TPM-backed disk encryption.

The issue, tracked as CVE-2026-9266, affects Moxa industrial computer product lines using secure versions of Moxa Industrial Linux across UC and V series devices. Moxa says the vulnerability is an incomplete remediation of CVE-2026-0714. The earlier issue involved TPM-backed LUKS full-disk encryption on devices where the discrete TPM is connected to the CPU through an SPI bus.

Moxa introduced TPM2 parameter encryption as a countermeasure, but the new advisory says an omission in the authorisation session configuration means the protection provides no effective defence. An attacker with invasive physical access could still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext.

The attack path has clear limits. Moxa says remote exploitation is not possible and downstream systems are not affected. Successful exploitation requires opening the device, attaching external equipment to the SPI bus, and having enough time and capability to capture and analyse signals. It is not a brief or opportunistic access scenario.

In industrial environments, that narrow route can still sit within credible risk planning. Industrial computers and controllers are often deployed in substations, transport infrastructure, manufacturing lines, utilities, maritime systems, roadside equipment, and remote facilities where physical access controls vary widely. Some devices sit inside secured control rooms, while others are placed in cabinets, plant rooms, vehicles, ships, field sites, or third-party-managed locations.

The advisory also shows how embedded security depends on implementation detail. Full-disk encryption, secure boot, TPMs, signed firmware, and device-unique credentials can create confidence in architecture, but a missing cryptographic step or flawed session configuration can weaken protection without changing the device’s visible operating model.

Moxa has provided firmware and package updates for affected products, along with separate mitigations where updates are not immediately available. Deployment may still be difficult. Industrial assets can be air-gapped, intermittently connected, vendor maintained, or tied to operational certification processes. Firmware updates across those environments require testing, maintenance windows, rollback procedures, and coordination between operational technology, engineering, security, and procurement teams.

Physical access also needs ownership. Where a device stores sensitive configuration, credentials, telemetry, process data, or certificates, invasive access may support later impersonation, cloning, or deeper understanding of the environment. The risk depends on what the device controls, where it is placed, and what trust other systems give it.

A disciplined response should combine firmware remediation with site-level controls. Cabinets, tamper evidence, maintenance logs, supplier access records, spare device handling, decommissioning procedures, and encryption key governance all affect exposure. Equipment that leaves controlled custody for repair or replacement also needs careful handling.

Industrial resilience depends on layers that hold together in the field. Secure device design, correct cryptography, supported firmware, physical protection, and practical update processes all determine whether protections remain meaningful after deployment.

×