216.73.216.233

CVE-2026-9266

· Published 12/06/2026 13:16 · Modified 12/06/2026 16:06 · Author: The MITRE Corporation

Labels: CVE-2026-9266 2026-06-12CVE-2026-9266CWE-325[email protected]

Essential information

Published
12/06/2026 13:16
Modified
12/06/2026 16:06
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
7.0 HIGH (v3) 7.0 HIGH (v4.0)
CISA KEV
No
CWE
CWE-325
CVSS vector

CVSS metrics

Description

A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection. An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
moxa / embedded linux firmware cpe:2.3:a:moxa:embedded_linux_firmware:*:*:*:*:*:*:*:*
moxa / industrial computer cpe:2.3:a:moxa:industrial_computer:*:*:*:*:*:*:*:*
moxa / industrial controller cpe:2.3:a:moxa:industrial_controller:*:*:*:*:*:*:*:*

References