A number of publicly disclosed vulnerabilities in Moxa networking gear won’t be patched until August, if at all, according to an alert published on Friday by the Industrial Control System Cyber Emergency Response Team (ICS-CERT).

Researcher Joakim Kennedy of Rapid7 disclosed in March some details affecting critical flaws in Moxa NPort 6110 Modbus/TCP to serial communication gateways, and 5100 and 6000 series serial-to-Ethernet converters.

Moxa said the NPort 6110 device has been discontinued and it will not provide patches. The 5100 and 6000 series will be patched new firmware expected to be made available in August, ICS-CERT said.

Kennedy said that the devices are not password-protected and many are reachable online. For example, users are not required to set passwords for the NPort 5100 series, and many do not and are reachable via telnet or a web interface. A Shodan search conducted by Rapid7 found 5,000 Moxa devices online, 46 percent of which are not password-protected.

ICS-CERT said the vendor has validated three of five vulnerabilities that have been disclosed: one flaw enables an attacker to retrieve account information; another allows an attacker to make remote firmware updates without the need for authentication; and the third is a cross-site request forgery bug. Noxa has not been able to verify a buffer overflow bug leading to remote code execution, nor a cross-site scripting flaw. All of the flaws are remotely exploitable and allow for the execution or malicious script or malware, and privilege escalation.

Kennedy’s March 17 disclosure also identified ports UDP/4800, TCP/4900, TCP/80, TCP/443, TCP/23, TCP/22, and UDP/161 as possible attack vectors. ICS-CERT says it’s not aware of public attacks.

In the meantime, the devices, which are used to connect remote administration tools to things such as medical devices, industrial applications, point-of-sale systems and more, will remain exposed for at least another four months.

ICS-CERT’s alert did recommend some temporary mitigations, such as password protecting NPort 5100 and 6000 series configuration files to prevent attackers from being able to upload binaries to devices. Vulnerable systems can also be removed from the Internet, while control system networks can be put behind a firewall or isolated from the business network, the alert said. Remote administration should also be conducted over a VPN.

“Securing legacy hardware is still very difficult, and this how not to do it,” Kennedy wrote in his disclosure. “Security is being compromised for convenience, and consumers are, in many cases, just using the default settings. The easier you make it for yourself to connect, the easier you make it for the attacker.”