CVE-2026-1632
published 2026-02-03CVE-2026-1632: MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated…
PriorityP269critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.47%
37.4th percentile
MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| riss_srl | moma_seismic_station | <= Version v2.4.2520 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The MOMA Seismic Station web management interface is exposed without authentication; detect unauthenticated HTTP requests to the device's management interface from unexpected sources ↗
- →Monitor for unauthenticated access attempts to ICS/SCADA web management interfaces on internet-facing seismic station devices running MOMA Seismic Station <= v2.4.2520 ↗
- →Alert on configuration change, data acquisition, or device reset actions originating from unauthenticated sessions on MOMA Seismic Station devices ↗
- ·No vendor patch is available; RISS SRL did not respond to CISA coordination. Affected versions are all releases up to and including v2.4.2520. ↗
- ·No known public exploitation has been reported to CISA at time of advisory publication. ↗
- ·CVSS 3.1 score is 9.1 CRITICAL (AV:N/AC:L/PR:N/UI:N), meaning the attack is fully remote, requires no privileges or user interaction, and has high impact on confidentiality and integrity. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
RISS SRL MOMA Seismic Station
cisa_ics·2026-02-03·CVSS 9.1
[CRITICAL] RISS SRL MOMA Seismic Station
ICS Advisory
##
RISS SRL MOMA Seismic Station
Release DateFebruary 03, 2026
Alert CodeICSA-26-034-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of this vulnerability could result in an unauthenticated attacker creating a denial-of-service condition.
The following versions of RISS SRL MOMA Seismic Station are affected:
- MOMA Seismic Station <=v2.4.2520 (CVE-2026-1632)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.1
| RISS SRL
| RISS SRL MOMA Seismic Station
| Missing Authentication for Critical Function
## Background
- Critical Infrastructure Sectors: Critical Manufacturing, Dams, Energy, Water and Wastewater, Transportation Systems
- Countries/Areas Deployed: Worldw
GHSA
GHSA-f67h-gfg7-pmp5: MOMA Seismic Station Version v2
ghsa_unreviewed·2026-02-04
CVE-2026-1632 [CRITICAL] CWE-306 GHSA-f67h-gfg7-pmp5: MOMA Seismic Station Version v2
MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-03
Published