Microsoft researchers identified vulnerable components of the Boa web server and found evidence of supply chain risks that may affect millions of organizations and devices.

What was found

According to the report, these vulnerable components are difficult to identify and could be exploited to target critical industries.
  • Boa web server was discontinued in 2005, however, different vendors still implement it across a variety of IoT devices ranging from routers to cameras and popular SDKs.
  • As developers are not managing the web server, it is exposed to known vulnerabilities that could allow attackers to silently gain a foothold into OT networks and deploy malicious payloads.

Over one million internet-exposed Boa server components have been identified around the world over the span of a week.

Attack analysis

Recorded Future reported in April that a Chinese group called TAG-38 has been launching attacks using Shadowpad against Indian critical infrastructures since 2020. Researchers published IP hosts associated with these attacks.
  • Microsoft analyzed these IPs and observed that various attackers have employed different malicious methods to leverage all IP addresses.
  • These methods include attempts to connect with default credentials through brute force methods, attempts to run shell commands, and attempts to download a variant of the Mirai malware family.
  • Microsoft assesses that an intrusion activity aimed at Indian power grid entities involved the exploitation of security flaws in IoT devices running Boa.


While Microsoft’s investigation revealed Boa as a common link for attacks against Indian entities, attackers are attempting to exploit known Boa vulnerabilities in other entities too. Organizations and network operators must identify and detect vulnerable components and prioritize improving their security posture to prevent security risks through software and hardware supply chains.
Cyware Publisher