OTPulse
FeedAboutContact

Moxa Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances

Plan Patch9.4MPSA-241154Oct 14, 2024
Summary

Moxa cellular routers, secure routers, and network security appliances contain two critical vulnerabilities. CVE-2024-9137 (CWE-306) allows unauthenticated attackers to send commands to the Moxa service and manipulate device configurations, including downloading or uploading configuration files. CVE-2024-9139 (CWE-78) allows authenticated attackers to inject OS commands through improperly restricted input, enabling arbitrary code execution. Both vulnerabilities affect all versions of the affected products with no fix currently available.

What this means
What could happen
An attacker can bypass authentication and modify router configurations (CVE-2024-9137), or—if already authenticated—inject OS commands to execute arbitrary code (CVE-2024-9139). Either path could disrupt network operations, reroute traffic, or compromise connected devices.
Who's at risk
This affects water utilities and municipalities using Moxa cellular routers, secure routers, or network security appliances as WAN gateway devices, failover links, or remote site connectivity. Also affects utilities using these devices for SCADA network segmentation or DMZ firewalling. Any facility relying on the router for network availability is at risk of service disruption or traffic interception.
How it could be exploited
An attacker on the network reaches the router's management interface and sends commands to the Moxa service without authentication, allowing configuration manipulation or command injection. For CVE-2024-9139, the attacker must first authenticate but can then inject shell commands via improperly sanitized input fields.
Prerequisites
  • Network access to the Moxa router's management port (typically port 80, 443, or 502)
  • For CVE-2024-9137: no credentials required
  • For CVE-2024-9139: valid engineering or administrative account
remotely exploitableno authentication required (CVE-2024-9137)low complexityno patch availablecritical CVSS score (9.4)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network SecuritAll versionsNo fix yet
Remediation & Mitigation
0/5
Do now
0/4
HOTFIXContact Moxa support immediately to determine if a firmware patch is available for your specific router model and hardware revision
WORKAROUNDDisable remote management access to the router from untrusted networks; restrict management port access via firewall to engineering workstations only
HARDENINGIf the router must remain remotely accessible, implement a VPN gateway or jump host with multi-factor authentication in front of the device
HARDENINGChange all default and administrative credentials to strong, unique values
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGSegment the router on a separate management VLAN with restricted access to the operational network
View full Moxa Security advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/63e94719-46f9-45a0-9660-4c0954ad009c
Moxa Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances | CVSS 9.4 - OTPulse