CPATH-2026-0032 · GENERAL IOT

Moxa PT/EDS industrial Ethernet switch authentication bypass (CVE-2024-12297)

Provisional. Candidate score (CFSE Consequence Paths 1.0-candidate); pending independent review. Treat as a structured second opinion, not a final rating.

Paths HIGH Dominant consequence ACCOUNT_AUTHORITY authority · Evidence EV:2 (report-backed) · Liveness PATCH_AVAILABLE

CPATH ID	`CPATH-2026-0032`
CVE(s)	CVE-2024-12297
Device / class	Moxa PT/EDS industrial Ethernet switch authentication bypass (CVE-2024-12297) (GENERAL IOT)
Vendor	Moxa
Dominant consequence	`ACCOUNT_AUTHORITY` (authority)
Paths verdict	HIGH (worst of 3 paths)
Published baseline	v4.0 9.2 CRITICAL `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X` · Moxa PSIRT via NVD
Baseline relationship	▲ Paths lower
Consequence dimension(s)	#2 (what these mean)
Scored	2026-06-03 · CFSE Consequence Paths v1.0-candidate · validation: provisional
Baseline confidence	high

Consequence Paths

Paths Assessment

authority

`ACCOUNT_AUTHORITY`

HIGH

Reachability RE:4

Complexity EC:2

Consequence ACCOUNT_AUTHORITY

Scale SR:3 / SX:3

Verdict HIGH

Reachability 4

Complexity 2

Exposure 2

Physical / safety 2

Data / perception 3

Authority 3

Chainability 4

Reuse scale 3

Execution scale 3

Recovery 2

Evidence EV:2 · report-backed

Liveness PATCH_AVAILABLE

Vector

CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:4/EC:2/EX:2/PH:2/DP:3/AT:3/CH:4/SR:3/SX:3/OR:2/EV:2/LS:PATCH_AVAILABLE

Physical/safety

`DEVICE_AVAILABILITY`

HIGH

Reachability RE:4

Complexity EC:2

Consequence DEVICE_AVAILABILITY

Scale SR:3 / SX:3

Verdict HIGH

Reachability 4

Complexity 2

Exposure 2

Physical / safety 2

Data / perception 1

Authority 3

Chainability 3

Reuse scale 3

Execution scale 3

Recovery 2

Evidence EV:2 · report-backed

Liveness PATCH_AVAILABLE

Vector

CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:4/EC:2/EX:2/PH:2/DP:1/AT:3/CH:3/SR:3/SX:3/OR:2/EV:2/LS:PATCH_AVAILABLE

perception

`DATA_PRIVACY`

HIGH

Reachability RE:4

Complexity EC:2

Consequence DATA_PRIVACY

Scale SR:3 / SX:3

Verdict HIGH

Reachability 4

Complexity 2

Exposure 2

Physical / safety 2

Data / perception 3

Authority 3

Chainability 3

Reuse scale 3

Execution scale 3

Recovery 2

Evidence EV:2 · report-backed

Liveness PATCH_AVAILABLE

Vector

CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:4/EC:2/EX:2/PH:2/DP:3/AT:3/CH:3/SR:3/SX:3/OR:2/EV:2/LS:PATCH_AVAILABLE

Assessment

CFSE Consequence Paths assesses Moxa PT/EDS industrial Ethernet switch authentication bypass (CVE-2024-12297) at HIGH — the worst of 3 risk paths (authority, safety, perception). The dominant consequence is privileged account or control authority.

Vulnerability

Moxa PT/EDS industrial Ethernet switch authentication bypass (CVE-2024-12297). Reported attack vector: Network (remote, low attack complexity per CVSS v4 metrics; AV Network, AC Low).

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

`ACCOUNT_AUTHORITY` → HIGH

CPATH:1.0-candidate/TT:ACCOUNT_AUTHORITY/RE:4/EC:2/EX:2/PH:2/DP:3/AT:3/CH:4/SR:3/SX:3/OR:2/EV:2/LS:PATCH_AVAILABLE

Exposure EX=2 (execution complexity-bound) · bands PH=ELEVATED · DP=HIGH · AT=HIGH → base HIGH → assessed HIGH.

Network-reachable management interface (RE:4 per AV:Network; though management-VLAN segmentation may reduce in practice, default exposure on flat OT nets drives 4). EC:2 because exploitation requires brute-force or MD5-collision hash forgery (advanced-but-reproducible, not a one-shot RCE). AT:3 admin/config authority over the switch (network forwarding/device settings) but not a signing-root/OTA root, so not 4. DP:3 config access exposes firmware/proprietary/sensitive-op-state. CH:4 admin foothold on OT infrastructure is a reusable cross-domain pivot (app/cloud/device/network boundary crossing). SR:3 reusable bypass technique across nine+ models but not a shared key/signing-root. SX:3 deployment-wide with setup since each device’s mgmt plane must be reached. PH:2 indirect availability/workflow disruption, no direct actuation. OR:2 recoverable via firmware patch though OT windows long. EV:2 report-backed (researcher-reported, advisory published, not publicly reproduced).

`DEVICE_AVAILABILITY` → HIGH

CPATH:1.0-candidate/TT:DEVICE_AVAILABILITY/RE:4/EC:2/EX:2/PH:2/DP:1/AT:3/CH:3/SR:3/SX:3/OR:2/EV:2/LS:PATCH_AVAILABLE

Exposure EX=2 (execution complexity-bound) · bands PH=ELEVATED · DP=ELEVATED · AT=HIGH → base HIGH → assessed HIGH.

Post-bypass the attacker can disrupt service / alter switch forwarding behavior, breaking OT process communications. RE:4 same network-reachable mgmt surface. EC:2 same brute-force/collision effort. AT:3 config-level control of OT network device. PH:2 communications/availability disruption on the control network path; advisory notes no direct actuator control, so not 3/4 safety injury. DP:1 minimal data exposure on this disruption-focused path. CH:3 chains to broader OT outage. SR:3 reusable technique across models. SX:3 deployment-wide with per-site mgmt-plane reach. OR:2 patchable. EV:2 report-backed.

`DATA_PRIVACY` → HIGH

CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:4/EC:2/EX:2/PH:2/DP:3/AT:3/CH:3/SR:3/SX:3/OR:2/EV:2/LS:PATCH_AVAILABLE

Exposure EX=2 (execution complexity-bound) · bands PH=ELEVATED · DP=HIGH · AT=HIGH → base HIGH · caps privacy-only cap → assessed HIGH.

Admin/config access enables port-mirroring and traffic manipulation to eavesdrop on OT/control-network traffic (confidentiality + integrity). RE:4 network mgmt surface. EC:2 brute-force/MD5-collision effort to reach config. AT:3 config authority enabling the mirroring. DP:3 sensitive operational/control-network traffic and config (firmware/proprietary state), not biometric/world-model so not 4.
perception_feeds_action — false: this is network/OT traffic data, not a sensor world-model that directly drives physical/navigation/therapy decisions. PH:0 no direct safety on the pure-eavesdrop path. CH:3 mirrored OT traffic/creds enable lateral movement. SR:3 reusable bypass across models. SX:3 deployment-wide with per-site reach. OR:2 patchable. EV:2 report-backed.

Published baseline

v4.0 9.2 CRITICAL — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X — Moxa PSIRT via NVD

The published baseline above is retained for source review. The registry records the reachable consequence path rather than treating the baseline score as the primary registry frame.

Sources

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12297

Score it yourself in the calculator Review this score

Cite this entry:

CFSE Consequence Paths Registry v1.0-candidate, entry CPATH-2026-0032 (“Moxa PT/EDS industrial Ethernet switch authentication bypass (CVE-2024-12297)”), paths.cfse.ai/CPATH-2026-0032 (published 2026-06-03).

Moxa PT/EDS industrial Ethernet switch authentication bypass (CVE-2024-12297)

Paths Assessment

Assessment

Vulnerability

CFSE Consequence Paths analysis

ACCOUNT_AUTHORITY → HIGH

DEVICE_AVAILABILITY → HIGH

DATA_PRIVACY → HIGH

Published baseline

Sources

`ACCOUNT_AUTHORITY` → HIGH

`DEVICE_AVAILABILITY` → HIGH

`DATA_PRIVACY` → HIGH