CVE-2026-0714 identifies a vulnerability in the Moxa UC-1200A Series industrial computers that utilize TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3. The discrete TPM module is connected to the CPU via an SPI (Serial Peripheral Interface) bus, which is susceptible to physical side-channel attacks. An attacker with extended physical access can open the device enclosure and attach specialized equipment to the SPI bus lines to capture TPM communication signals. These signals contain sensitive cryptographic material that, once captured, can be analyzed offline to decrypt the eMMC storage contents protected by LUKS encryption. The attack requires invasive physical access, possession of the device for a prolonged period, and technical expertise in signal capture and cryptanalysis. It does not require any user interaction, authentication, or remote network access, making it a purely physical attack vector. The vulnerability is classified under CWE-319, indicating cleartext transmission of sensitive information, here manifested as unprotected TPM bus communication. The CVSS 4.0 score is 7.0 (high), reflecting the high confidentiality impact but limited attack vector (physical only) and no impact on integrity or availability. No patches or firmware updates have been published yet, and no exploits are known in the wild. This vulnerability highlights a hardware design weakness where TPM communication is not adequately protected against physical probing attacks.

For European organizations, particularly those in critical infrastructure sectors such as manufacturing, energy, transportation, and utilities that deploy Moxa UC-1200A Series industrial computers, this vulnerability poses a significant risk to data confidentiality. If attackers gain prolonged physical access to these devices, they could extract sensitive operational data, intellectual property, or cryptographic keys stored on the device. This could lead to espionage, sabotage, or further compromise of industrial control systems. Although the attack does not enable remote exploitation, the requirement for invasive physical access means insider threats or attackers with physical access to secure areas pose the greatest risk. The impact on system integrity and availability is minimal, but the breach of confidentiality could have cascading effects on operational security and compliance with European data protection regulations such as GDPR if personal or sensitive data is involved. The lack of remote exploitability limits the threat scope but does not eliminate risk in environments where physical security is insufficient.

European organizations should implement stringent physical security controls around Moxa UC-1200A devices, including tamper-evident seals, locked enclosures, and restricted access to areas housing these devices. Regular physical inspections should be conducted to detect signs of tampering. Network segmentation and monitoring should be employed to detect anomalous device behavior that could indicate compromise. Until a firmware or hardware patch is available, consider deploying additional encryption layers or using devices with TPM modules connected via more secure interfaces that resist physical probing. Where feasible, replace affected devices with models that have improved TPM bus protections or alternative encryption architectures. Educate personnel on the risks of insider threats and enforce strict access control policies. Maintain an inventory of affected devices and track any physical access events. Collaborate with Moxa for updates and apply any future patches promptly. For critical environments, consider hardware security modules (HSMs) or external encryption devices that do not expose sensitive signals on accessible buses.