CVE-2026-9266
A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and co...
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CWE
- CWE-325
Description
A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection. An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-45446 — Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authe... (4.8 MEDIUM)
- CVE-2026-45445 — Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied... (7.5 HIGH)
- CVE-2026-42770 — Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgro... (3.7 LOW)
- CVE-2026-0420 — An improper implementation of TLS certificate validation vulnerability found in NETGEAR's ReadyCloud client app which could allow an atta...
- CVE-2026-48480 — The netty incubator codec.bhttp is a java language binary http parser