CVE-2026-9266: Moxa Firmware Information Disclosure Flaw

CVE-2026-9266 Overview

CVE-2026-9266 is a Missing Required Cryptographic Step vulnerability [CWE-325] in Moxa's embedded Linux firmware for industrial computers and controllers. The flaw represents an incomplete remediation of CVE-2026-0714. Moxa added TPM2 parameter encryption to defend against the prior issue, but an omission in the authorization session configuration renders the encryption ineffective. An attacker with invasive physical access can capture Trusted Platform Module (TPM) communications on the Serial Peripheral Interface (SPI) bus and recover the Linux Unified Key Setup (LUKS) disk encryption key in plaintext.

Critical Impact
Successful exploitation results in full compromise of the encrypted disk volume on affected Moxa industrial computers, exposing all data at rest.

Affected Products

Moxa embedded Linux firmware for industrial computers
Moxa embedded Linux firmware for industrial controllers
Devices that previously received the CVE-2026-0714 remediation

Discovery Timeline

2026-06-12 - CVE-2026-9266 published to the National Vulnerability Database (NVD)
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-9266

Vulnerability Analysis

The affected Moxa devices store the LUKS disk encryption key in the TPM and retrieve it during boot over the SPI bus. The earlier CVE-2026-0714 disclosure showed that an attacker probing the SPI bus could read the key in plaintext. Moxa's fix introduced TPM2 parameter encryption, which is intended to protect command parameters and response data exchanged between the host and the TPM.

Parameter encryption only takes effect when the authorization session is configured with the correct session attributes and a suitable symmetric algorithm. In the affected firmware, the session is established but the required attributes are not set, so the TPM and host continue to exchange the unsealed key material in cleartext over SPI. The protection therefore exists in name only.

Exploitation requires invasive physical access. Remote exploitation is not possible, and the issue does not propagate to downstream systems.

Root Cause

The root cause is an incomplete TPM2 authorization session configuration. The session is created without enabling the parameter encryption attributes needed to wrap sensitive command parameters and response payloads. As a result, the unseal operation returning the LUKS key transmits the secret in plaintext on the SPI bus.

Attack Vector

An attacker must open the device chassis and physically attach a logic analyzer or bus sniffer to the SPI lines connecting the System-on-Chip to the TPM. During boot, the firmware performs the TPM unseal operation and the captured trace contains the plaintext LUKS key. The attacker then removes the storage media and decrypts the volume offline.

No verified public proof-of-concept code is available. Refer to the Moxa Security Advisory MPSA-266240 for vendor technical details.

Detection Methods for CVE-2026-9266

Indicators of Compromise

Evidence of chassis tampering, broken tamper-evident seals, or unauthorized removal of device covers
Solder marks, test clip residue, or probe attachment points on or near TPM and SPI flash components
Unexplained device downtime or power cycles consistent with bus capture sessions
Storage media that has been removed and reinserted or cloned outside maintenance windows

Detection Strategies

Inspect deployed industrial computers for tamper-evident seal integrity during routine maintenance
Correlate physical access logs from facility access control with device power events
Audit firmware versions across the fleet and flag systems still running pre-patch builds
Monitor for unexpected reboots or boot anomalies reported by device health telemetry

Monitoring Recommendations

Forward device boot logs and platform health events to a centralized security data lake for review
Track facility entry into rooms hosting industrial computers and reconcile against work orders
Enable continuous physical environment monitoring such as enclosure intrusion switches where supported
Review change management records for any maintenance involving disk or TPM components

How to Mitigate CVE-2026-9266

Immediate Actions Required

Apply the firmware update published in Moxa Security Advisory MPSA-266240 to all affected devices
Restrict and audit physical access to industrial computers and controllers in operational technology environments
Apply tamper-evident seals to device enclosures and document baseline images of each unit
Rotate the LUKS passphrase and re-seal disk encryption keys after firmware remediation

Patch Information

Moxa has published remediation guidance in the Moxa Security Advisory MPSA-266240. Administrators should review the advisory for the specific firmware versions and apply the vendor-supplied update that correctly enables TPM2 parameter encryption session attributes.

Workarounds

Deploy affected devices only in physically secured cabinets or locked control rooms
Use tamper-evident enclosures and intrusion detection switches to flag unauthorized opening
Limit device service to authorized personnel and maintain a chain-of-custody log for field units
Remove or sanitize decommissioned devices to prevent offline disk extraction after disposal

bash

# Configuration example
# Verify deployed firmware version against the MPSA-266240 fixed release
# and confirm patch installation before returning devices to service.
# Refer to the Moxa advisory for the exact version string.