Moxa Privilege Escalation and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances

Plan Patch9.8MPSA-241155Jan 3, 2025

Summary

Two critical vulnerabilities affect Moxa cellular routers, secure routers, and network security appliances. CVE-2024-9140 is an OS command injection vulnerability that allows unauthenticated attackers to bypass input filters and execute arbitrary commands on the device via specially crafted input. CVE-2024-9138 leverages hard-coded credentials to allow authenticated users to escalate privileges to root-level access. Together, these vulnerabilities could enable complete compromise of the affected device with remote unauthenticated access. All versions are currently affected with no patch available from the vendor.

What this means

What could happen

An attacker could execute arbitrary commands on your Moxa router or security appliance, potentially redirecting traffic, intercepting communications, or disrupting connectivity to your facility. Combined with privilege escalation, this could result in complete control of the device and unauthorized access to your network.

Who's at risk

This affects water utilities, electric utilities, and other critical infrastructure operators using Moxa cellular routers, secure routers, or network security appliances for edge connectivity, remote facility monitoring, or network perimeter defense. Moxa devices commonly connect SCADA systems, RTUs, and remote sensors to control networks, making them valuable targets for disruption.

How it could be exploited

CVE-2024-9140 allows unauthenticated remote command injection by sending specially crafted input to bypass input validation filters. An attacker can send malicious OS commands directly to the device over the network and execute them with device privileges. CVE-2024-9138 requires an authenticated user (or one who has gained access via the first vulnerability) to exploit hard-coded credentials to escalate to root-level access.

Prerequisites

Network access to the Moxa device (no specific port mentioned; likely HTTP/HTTPS management interface or SSH)
For CVE-2024-9140: no authentication required
For CVE-2024-9138: authenticated access to the device or exploitation of CVE-2024-9140 first

remotely exploitableno authentication required (CVE-2024-9140)low complexityaffects all versions (no patch available yet)high CVSS score (9.8)privilege escalation possibleaffects network connectivity and communications

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

Privilege Escalation and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXContact Moxa for security updates or patches for affected cellular routers, secure routers, and network security appliances

HARDENINGImplement network segmentation to restrict access to Moxa device management interfaces; allow only authorized engineering workstations or control network access

WORKAROUNDDisable or restrict remote management access (HTTP, HTTPS, SSH) to Moxa devices if not required for operations; use firewall rules to limit access to trusted IP addresses

HARDENINGChange any default or shared credentials on affected Moxa devices (even if hard-coded, ensure any changeable credentials are unique and strong)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Moxa devices for unusual command execution, configuration changes, or unauthorized access attempts

CVEs (2)

CVE-2024-9138 CVE-2024-9140

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2119bfdd-1d13-4b6c-a8e6-94253a951788