CVE-2016-9346 Moxa CVE debrief

Who should care

ICS/OT administrators and asset owners running Moxa MiiNePort E1, E2, or E3 devices, especially teams that manage firmware updates, device backups, or filesystem access controls.

Technical summary

NVD classifies the weakness as CWE-310 and rates it CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The core issue is that configuration data are stored in an unencrypted file, which can expose sensitive device settings if the file is accessed. The affected firmware thresholds listed in the CVE record are E1 < 1.8, E2 < 1.4, and E3 < 1.1.

Defensive priority

Medium — remediate during normal maintenance cycles, with higher urgency if the devices are reachable by untrusted users or if their configuration files are exposed in backups or shared storage.

Recommended defensive actions

• Upgrade MiiNePort E1 firmware to 1.8 or later, E2 to 1.4 or later, and E3 to 1.1 or later.
• Restrict access to the device file system, configuration exports, and any backups that may contain the unencrypted configuration file.
• Review where configuration files are stored and copied, and remove unnecessary access from shared or exposed locations.
• Segment and monitor OT/ICS management access so only authorized administrators can reach the affected devices.
• Validate remediation against the NVD and US-CERT advisory references listed for this CVE.

Evidence notes

The source corpus identifies the issue as CVE-2016-9346, published on 2017-02-13. NVD lists the affected firmware ranges for MiiNePort E1/E2/E3, the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, and CWE-310. NVD also references US-CERT advisory ICSA-16-343-01 and SecurityFocus BID 94783.

Official resources