Moxa Privilege Escalation and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances

Plan PatchCVSS 9.8MPSA-241155Jan 3, 2025

Moxa

Summary

Moxa cellular routers, secure routers, and network security appliances contain two critical vulnerabilities: CVE-2024-9138 (hard-coded credentials allowing privilege escalation to root) and CVE-2024-9140 (OS command injection via special character bypass allowing unauthenticated arbitrary code execution). The command injection vulnerability (CVE-2024-9140) is remotely exploitable without authentication and has a CVSS 3.1 score of 9.8. The privilege escalation vulnerability (CVE-2024-9138) requires prior authentication but allows escalation from user to root level. No patch is currently available from Moxa for either vulnerability.

What this means

What could happen

An attacker on your network could execute arbitrary commands on Moxa routers and security appliances, gaining complete control of these devices and potentially disrupting connectivity, rerouting traffic, or accessing sensitive network data. An authenticated user could escalate privileges to root level using hard-coded credentials, allowing unauthorized system modifications and service disruption.

Who's at risk

Water authorities and municipal utilities operating Moxa cellular routers, secure routers, or network security appliances in critical infrastructure networks should prioritize immediate containment. These devices are typically deployed at network boundaries and remote sites (water treatment plants, pump stations, substations) where they control connectivity and enforce security policies. Compromise of these devices could allow attackers to bypass perimeter controls, intercept communications, or pivot into OT networks.

How it could be exploited

An attacker can send specially crafted network requests containing special characters to bypass input validation on the Moxa device, allowing direct OS command injection that executes arbitrary code with root privileges. Alternatively, an attacker with any authenticated access could exploit hard-coded credentials embedded in the device firmware to escalate from user to root level, gaining full system control.

Prerequisites

Network access to the Moxa device (CVE-2024-9140: no authentication required; CVE-2024-9138: any valid authenticated session)
Ability to send HTTP/CLI requests to the device management interface

remotely exploitableno authentication required (CVE-2024-9140)low complexityno patch availableaffects network boundary and security controlshard-coded credentials present

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (1)

ProductAffected VersionsFix Status

Privilege Escalation and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXContact Moxa support immediately to obtain security updates or workarounds for your specific router and appliance models; current advisory indicates no fix is available

WORKAROUNDImplement strict network access controls: restrict access to Moxa device management interfaces (web console, SSH, Telnet) to authorized engineering workstations only using firewall rules

WORKAROUNDDisable or restrict remote management protocols (HTTP, HTTPS, SSH, Telnet) on Moxa devices if not actively required for operations; use local console access only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Moxa device logs and network traffic for suspicious command patterns, authentication attempts, and unexpected privilege escalation events

Long-term hardening

0/1

HARDENINGSegment Moxa routers and security appliances onto a protected management network separate from production OT systems and untrusted IT networks

CVEs (2)

CVE-2024-9138 CVE-2024-9140

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2119bfdd-1d13-4b6c-a8e6-94253a951788

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.