CVE-2022-40224
Published: 07 February 2023
Summary
CVE-2022-40224 is a high-severity Insufficient Resource Pool (CWE-410) vulnerability in Moxa Sds-3008 Firmware. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A denial of service vulnerability exists in the web server functionality of the Moxa SDS-3008 Series Industrial Ethernet Switch version 2.1. The flaw, tracked as CVE-2022-40224, is triggered by a specially crafted HTTP message header and is assigned a CVSS v3.1 score of 7.5 with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. It is associated with CWE-410.
An unauthenticated attacker with network access can send a malicious HTTP request to the device's web interface, causing the service to become unavailable and resulting in denial of service. No user interaction or credentials are required for exploitation.
Moxa has published a security advisory detailing the issue alongside related web vulnerabilities in the SDS-3008 series and provides remediation guidance at the referenced support page; Talos Intelligence has also released a detailed vulnerability report with technical analysis.
The EPSS score for this CVE rose from a low baseline to a peak of 0.1194 on 2026-02-08 before receding to the current value of 0.0372, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43522
Vulnerability details
A denial of service vulnerability exists in the web server functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted HTTP message header can lead to denial of service. An attacker can send an HTTP request to trigger this…
more
vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensures a managed resource pool is maintained rather than allowing exhaustion by any single consumer.