Moxa’s cellular routers, secure routers, and network security appliances are affected by two critical vulnerabilities that pose a significant security risk.
- CVE-2024-9138: This vulnerability involves hard-coded credentials, which could allow an authenticated user to escalate privileges and gain root-level access to the system.
- CVE-2024-9140: This vulnerability allows attackers to exploit special characters to bypass input restrictions, potentially leading to unauthorized command execution.
Immediate action is strongly recommended to prevent potential exploitation and mitigate these risks.
The identified vulnerability types and potential impacts are listed below:
Item |
Vulnerability Type |
Impact |
1 |
CWE-656: Reliance on Security Through Obscurity (CVE-2024-9138)
|
Exploitation of hard-coded credentials could allow an authenticated user to gain root-level access, leading to system compromise, unauthorized modifications, data exposure, or service disruption. |
2 |
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CVE-2024-9140) |
The affected product permits OS command injection through improperly restricted commands, potentially allowing attackers to execute arbitrary code. |
Vulnerability Scoring Details
ID |
Base Score |
Vector |
Unauthenticated Remote Exploits |
CVE-2024-9138 |
CVSS 3.1: 7.2 |
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
No |
CVSS 4.0: 8.6 |
AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
|
CVE-2024-9140 |
CVSS 3.1: 9.8 |
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
Yes |
CVSS 4.0: 9.3 |
AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
|
Note: This advisory uses CVSS 3.1 as the standard for determining severity levels. CVSS 4.0 is provided as a reference metric for comparison.