Moxa’s cellular routers, secure routers, and network security appliances are affected by two critical vulnerabilities that could lead to unauthorized access and system compromise. The first vulnerability, CVE-2024-9137, allows attackers to manipulate device configurations without authentication. The second vulnerability, CVE-2024-9139, permits OS command injection through improperly restricted commands, potentially enabling attackers to execute arbitrary codes. These vulnerabilities pose a significant security risk, and it is highly recommended to take immediate action in order to prevent potential exploitation.
The identified vulnerability types and potential impacts are listed below:
| Item |
Vulnerability Type |
Impact |
| 1 |
CWE-306: Missing Authentication for Critical Function
(CVE-2024-9137)
|
The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise. |
| 2 |
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
(CVE-2024-9139)
|
The affected product permits OS command injection through improperly restricted commands, potentially allowing attackers to execute arbitrary code. |
Vulnerability Scoring Details
| ID |
CVSS |
Vector |
Unauthenticated Remote Exploits |
| CVE-2024-9137 |
CVSS 3.1: 9.4 |
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
Yes |
| CVSS 4.0: 8.8 |
AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N |
| CVE-2024-9139 |
CVSS 3.1: 7.2 |
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
No |
| CVSS 4.0: 8.6 |
AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |