Moxa Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances

Plan PatchCVSS 9.4MPSA-241154Oct 14, 2024

Moxa

Summary

Moxa cellular routers, secure routers, and network security appliances contain two critical vulnerabilities. CVE-2024-9137 (CWE-306) allows unauthenticated attackers to execute commands via the Moxa service, enabling unauthorized download or upload of configuration files and system compromise. CVE-2024-9139 (CWE-78) allows authenticated attackers with high privileges to inject OS commands and execute arbitrary code on the device. Both vulnerabilities affect all versions of the affected product families with no patch currently available.

What this means

What could happen

An attacker could remotely access Moxa routers and appliances without credentials to reconfigure network settings, download sensitive device configuration files, and inject commands to execute arbitrary code on the device. This could result in network outage, rerouting of communications, or compromise of systems connected through the appliance.

Who's at risk

This affects organizations operating Moxa cellular routers, secure routers, and network security appliances in utility, manufacturing, water treatment, and other critical infrastructure environments where these devices serve as network gateways or boundary protection between IT and OT networks.

How it could be exploited

An attacker on the network sends unauthenticated commands to the Moxa service port to manipulate device configuration or extract files. If the attacker gains administrative credentials, they can inject OS commands through improperly restricted command fields to execute arbitrary code on the appliance itself, potentially pivoting to downstream OT networks.

Prerequisites

Network reachability to the Moxa service port (likely TCP 80, 443, or Moxa proprietary management port)
For CVE-2024-9139, valid administrative or privileged user credentials are required

remotely exploitableno authentication required (CVE-2024-9137)low complexityno patch availableaffects network boundary/gateway devices

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network SecuritAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDIsolate affected Moxa routers and appliances from untrusted networks using firewall rules or network segmentation; restrict management access to authorized administrative networks only

WORKAROUNDDisable or restrict remote management and Moxa service access from external or untrusted networks at the firewall level

HARDENINGChange all default and shared administrative credentials on affected devices to strong, unique passwords

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor device logs and network traffic for unauthorized configuration changes or suspicious command execution

HOTFIXContact Moxa support immediately to inquire about firmware updates or replacement options for end-of-life devices

CVEs (2)

CVE-2024-9137 CVE-2024-9139

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/63e94719-46f9-45a0-9660-4c0954ad009c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.