MOFIU Vulnerability Disclosure Policy
Last Updated: 1st Jan, 2026
Version: 1.4
1. Our Commitment to Industrial Security
At MOFIU, we believe that security is not a feature, but a foundational requirement for the modern industrial landscape. Our flagship products series is built on a Security-by-Design philosophy, incorporating Hardware Root of Trust (HRoT) and Secure Boot at the silicon level.
However, we recognize that the cybersecurity landscape is constantly evolving. We value the critical role that independent security researchers play in keeping the global industrial ecosystem safe. This policy outlines our commitment to investigating and resolving potential vulnerabilities reported to us in good faith.
2. Safe Harbor and Researcher Protection
MOFIU pledges that we will not initiate legal action against researchers who:
· Engage in vulnerability research and testing in accordance with this policy.
· Avoid any activities that could cause service disruption, data destruction, or harm to our customers critical infrastructure.
· Provide us with a reasonable period to remediate the vulnerability before any public disclosure.
We consider your research to be authorized as long as it adheres to these principles.
3. Scope of Research
We encourage the security community to test and analyze the following assets:
In-Scope:
· Hardware: MOFIU SG100 series industrial gateways (Physical and Logic interfaces).
· Firmware: Official MOFIU OS and embedded drivers.
· Network Protocols: Implementation of WireGuard, MQTT etc within our devices.
· APIs: Official MOFIU management and telemetry APIs.
Out-of-Scope:
· Denial of Service (DoS/DDoS) attacks against MOFIU corporate servers or customer devices.
· Social engineering, phishing, or physical security attacks against MOFIU employees or facilities.
· Intentional disruption of live industrial control systems (ICS) or SCADA networks.
4. How to Report a Vulnerability
To ensure a secure and rapid response, please submit your findings to our Product Security Incident Response Team (PSIRT):
Primary Contact Email: PSIRT@mofiu.com
Please include the following details in your report:
1. Product Name and Firmware Version (e.g., SG100 v1.2.x).
2. Vulnerability Type (e.g., Buffer Overflow, Authentication Bypass).
3. Detailed Description and potential impact.
4. Proof of Concept (PoC) steps or scripts to reproduce the issue.
5. Our Structured Response Process (SLA)
MOFIU follows a transparent and coordinated disclosure process aligned with IEC 62443 guidelines:
· Initial Acknowledgment: Within 48 business hours of receiving your report.
· Technical Assessment: Within 10 business days, our PSIRT will validate the vulnerability and assign a CVSS (Common Vulnerability Scoring System) score.
· Remediation: For critical vulnerabilities, we aim to release a patch or mitigation within 30 to 90 days.
· Coordinated Disclosure: We will work with the researcher to publish a security advisory (and request a CVE ID if applicable) once the fix is deployed.
6. Recognition and Hall of Fame
MOFIU deeply appreciates the time and expertise of researchers who help us improve our products. With your permission, we will:
· Publicly acknowledge your contribution in our official Security Hall of Fame.
· Mention your name in the relevant CVE documentation.
· Provide exclusive MOFIU Early Access hardware for future testing (Optional).
7. Contact Us
For general security inquiries or to join our Beta Security Testing Program, please contact us at:
Company: Guangzhou Mofiu Technology Co., Ltd
Web: www.mofiu.com
Email: PSIRT@mofiu.com
|Advisory ID: MOFIU-SA-2025-004
Title: Stored Cross-Site Scripting (XSS) in Web Management Interface
Severity: Medium (CVSS v3.1 Score: 5.4)
Date Resolved: December 15, 2025
Affected Product: SG100 Series (Firmware v1.0.1 and earlier)
Description: During internal penetration testing of the SG100 Web Management interface, our PSIRT identified a vulnerability in the network configuration module. Insufficient input sanitization when saving custom network interface descriptions could allow an authenticated administrator to inject malicious JavaScript.
Impact: If triggered by another active administrative session, this could lead to unauthorized actions being executed within the context of the Web UI, potentially altering routing rules.
Remediation: Fixed in Firmware v1.0.3. We implemented strict output encoding and comprehensive input validation algorithms across all Web and CLI management input fields.
| Advisory ID: MOFIU-SA-2025-003
Title: Denial of Service (DoS) Vulnerability in Modbus TCP Parser
Severity: High (CVSS v3.1 Score: 7.5)
Date Resolved: October 22, 2025
Affected Product: SG100 Series (Firmware v0.9.8 and earlier)
Description: The SG100 supports advanced SCADA protocol conversion. A software vulnerability was discovered in the Modbus TCP parsing engine where receiving a specifically malformed packet sequence with an anomalous header length could cause the protocol conversion daemon to exhaust allocated memory resources.
Impact: This memory leak could cause the industrial protocol translation service to restart, resulting in a temporary interruption of SCADA telemetry data transmission. The core routing and VPN tunnels remained unaffected due to OS-level process isolation.
Remediation: Fixed in Firmware v1.0.0 (Release Candidate). The Modbus parser daemon was rewritten to include strict bounds checking and robust dynamic memory allocation limits.
| Advisory ID: MOFIU-SA-2025-002
Title: Insufficient Authentication in SMS Remote Management Module
Severity: High (CVSS v3.1 Score: 8.1)
Date Resolved: August 12, 2025
Affected Product: SG100 Series (Firmware v0.8.5 and earlier)
Description: The SG100 gateway features an SMS-based remote control script, allowing administrators to query device status or trigger cellular interface resets via 4G LTE. Our internal Red Team identified a logic flaw where, if an attacker successfully spoofed the authorized administrator's phone number at the carrier level, the gateway's SMS handling script could process commands without validating the secondary cryptographic PIN.
Impact: An unauthorized actor capable of SMS spoofing could force the gateway firmware to execute a reboot or drop the cellular connection, leading to a temporary disruption of IoT connectivity.
Remediation: Fixed in Firmware v0.8.6. The SMS management script was completely overhauled. All remote SMS commands now strictly mandate a time-based HMAC-SHA256 signature suffix, completely neutralizing carrier-level spoofing attacks.
| Advisory ID: MOFIU-SA-2025-001
Title: Authenticated OS Command Injection in VPN Configuration Module
Severity: High (CVSS v3.1 Score: 8.8)
Date Resolved: June 20, 2025
Affected Product: SG100 Series (Firmware v0.8.2 and earlier)
Description: During early firmware audits, it was discovered that the OpenVPN/IPsec configuration upload handler did not properly sanitize the filenames of imported certificate files. An authenticated user with basic read-only access could craft a specific filename containing Linux shell metacharacters.
Impact: Successful exploitation of this vulnerability could allow a malicious actor with valid, low-level login credentials to execute arbitrary commands on the underlying Linux operating system with elevated privileges.
Remediation: Addressed in Firmware v0.8.3. We implemented strict server-side input validation, whitelisting only alphanumeric characters for uploaded VPN certificate filenames, and replaced vulnerable OS system calls with secure execution APIs.
