As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

CVE-2024-9137: Missing Authentication Vulnerability in Ethernet Switches

  • Security Advisory ID: MPSA-241156
  • Version: V1.1
  • Release Date: Jan 17, 2025
  • Reference:

    CVE-2024-9137 (Moxa)

Moxa’s Ethernet switches are affected by a critical vulnerability, CVE-2024-9137, which could result in unauthorized access and system compromise. This vulnerability allows attackers to manipulate device configurations without requiring authentication. Given the significant security risks, immediate action is strongly recommended to mitigate potential exploitation.


The identified vulnerability types and potential impacts are listed below:

Item Vulnerability Type Impact
1

CWE-306: Missing Authentication for Critical Function (CVE-2024-9137)

The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise.

Vulnerability Scoring Details 

ID Base Score Vector Unauthenticated Remote Exploits
CVE-2024-9137 CVSS 3.1: 9.4

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Yes
CVSS 4.0: 8.8

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Note: This advisory uses CVSS 3.1 as the standard for determining severity levels. CVSS 4.0 is provided as a reference metric for comparison.

AFFECTED PRODUCTS AND SOLUTIONS

Affected Products

The affected products and firmware versions are listed below.

No. Product Series Affected Versions
1 EDS-608 Series Firmware version 3.12 and earlier
2 EDS-611 Series Firmware version 3.12 and earlier
3 EDS-616 Series Firmware version 3.12 and earlier
4 EDS-619 Series Firmware version 3.12 and earlier
5 EDS-405A Series Firmware version 3.14 and earlier
6 EDS-408A Series Firmware version 3.12 and earlier
7 EDS-505A Series Firmware version 3.11 and earlier
8 EDS-508A Series Firmware version 3.11 and earlier
9 EDS-510A Series Firmware version 3.12 and earlier
10 EDS-516A Series Firmware version 3.11 and earlier
11 EDS-518A Series Firmware version 3.11 and earlier
12 EDS-G509 Series Firmware version 3.10 and earlier
13 EDS-P510 Series Firmware version 3.11 and earlier
14 EDS-P510A Series Firmware version 3.11 and earlier
15 EDS-510E Series Firmware version 5.5 and earlier
16 EDS-518E Series Firmware version 6.3 and earlier
17 EDS-528E Series Firmware version 6.3 and earlier
18 EDS-G508E Series Firmware version 6.4 and earlier
19 EDS-G512E Series Firmware version 6.4 and earlier
20 EDS-G516E Series Firmware version 6.4 and earlier
21 EDS-P506E Series Firmware version 5.8 and earlier
22 ICS-G7526A Series Firmware version 5.10 and earlier
23 ICS-G7528A Series Firmware version 5.10 and earlier
24 ICS-G7748A Series Firmware version 5.9 and earlier
25 ICS-G7750A Series Firmware version 5.9 and earlier
26 ICS-G7752A Series Firmware version 5.9 and earlier
27 ICS-G7826A Series Firmware version 5.10 and earlier
28 ICS-G7828A Series Firmware version 5.10 and earlier
29 ICS-G7848A Series Firmware version 5.9 and earlier
30 ICS-G7850A Series Firmware version 5.9 and earlier
31 ICS-G7852A Series Firmware version 5.9 and earlier
32 IKS-G6524A Series Firmware version 5.10 and earlier
33 IKS-6726A Series Firmware version 5.9 and earlier
34 IKS-6728A Series

IKS-6728A Series: Firmware version 5.9 and earlier

IKS-6728A-8POE Series: Firmware version 5.9 and earlier

35 IKS-G6824A Series Firmware version 5.10 and earlier
36 SDS-3006 Series Firmware version 3.0 and earlier
37 SDS-3008 Series Firmware version 3.0 and earlier
38 SDS-3010 Series Firmware version 3.0 and earlier
39 SDS-3016 Series Firmware version 3.0 and earlier
40 SDS-G3006 Series Firmware version 3.0 and earlier
41 SDS-G3008 Series Firmware version 3.0 and earlier
42 SDS-G3010 Series Firmware version 3.0 and earlier
43 SDS-G3016 Series Firmware version 3.0 and earlier
44 PT-7728 Series Firmware version 3.9 and earlier
45 PT-7828 Series Firmware version 4.0 and earlier
46 PT-G503 Series Firmware version 5.3 and earlier
47 PT-G510 Series Firmware version 6.5 and earlier
48 PT-G7728 Series Firmware version 6.4 and earlier
49 PT-G7828 Series Firmware version 6.4 and earlier
50 TN-4500A Series Firmware version 3.13 and earlier
51 TN-5500A Series Firmware version 3.13 and earlier
52 TN-G4500 Series Firmware version 5.5 and earlier
53 TN-G6500 Series Firmware version 5.5 and earlier

 

Solutions

Moxa has developed appropriate solutions to address vulnerability. The solutions for the affected products are listed below.

No. Product Series Solutions
1 EDS-608 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.12.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
2 EDS-611 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.12.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
3 EDS-616 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.12.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
4 EDS-619 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.12.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
5 EDS-405A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version addresses the following vulnerabilities, with specific firmware versions available for each model: EDS-405A (3.14.4), EDS-405A-PTP (3.11.4), and EDS-405A-PN (3.11.2).

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
6 EDS-408A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version addresses the following vulnerabilities, with specific firmware versions available for each model: EDS-408A (3.14.6) and EDS-405A-PN (3.12.2).

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
7 EDS-505A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.11.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
8 EDS-508A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.11.4 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
9 EDS-510A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.12.4 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
10 EDS-516A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.11.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
11 EDS-518A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.11.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
12 EDS-G509 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.10.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
13 EDS-P510 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.11.4 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
14 EDS-P510A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.11.4 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
15 EDS-510E Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.5.10 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
16 EDS-518E Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 6.3.10 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
17 EDS-528E Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 6.3.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
18 EDS-G508E Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 6.4.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
19 EDS-G512E Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 6.4.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
20 EDS-G516E Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 6.4.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
21 EDS-P506E Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.8.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
22 ICS-G7526A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.10.16 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
23 ICS-G7528A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.10.10 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
24 ICS-G7748A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.9.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
25 ICS-G7750A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.9.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
26 ICS-G7752A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.9.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
27 ICS-G7826A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.10.16 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
28 ICS-G7828A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.10.16 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
29 ICS-G7848A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.9.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
30 ICS-G7850A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.9.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
31 ICS-G7852A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.9.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
32 IKS-G6524A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.10.16 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
33 IKS-6726A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.9.10 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
34 IKS-6728A Series

IKS-6728A Series: Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.9.10 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.

IKS-6728A-8POE Series: Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.9.4 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
35 IKS-G6824A Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.10.16 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
36 SDS-3006 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.0.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
37 SDS-3008 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.0.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
38 SDS-3010 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.0.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
39 SDS-3016 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.0.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
40 SDS-G3006 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.0.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
41 SDS-G3008 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.0.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
42 SDS-G3010 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.0.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
43 SDS-G3016 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.0.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
44 PT-7728 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 3.9.2 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
45 PT-7828 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 4.0.4 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
46 PT-G503 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 5.3.6 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
47 PT-G510 Series

Please contact Moxa Technical Support for the security patch.

Note: The security patch version 6.5.8 addresses the following vulnerabilities:

  1. CVE-2024-9137: Missing authentication, which could allow unauthorized configuration changes.
  2. CVE-2024-7695: Out-of-bounds write vulnerability, potentially leading to a denial-of-service (DoS) attack.
  3. CVE-2024-9404: Denial-of-service vulnerability, which could result in system crashes or reboots.
48 PT-G7728 Series Upgrade to the firmware version 6.5 or later
49 PT-G7828 Series Upgrade to the firmware version 6.5 or later
50 TN-4500A Series Please contact Moxa Technical Support for the security patch
51 TN-5500A Series Please contact Moxa Technical Support for the security patch
52 TN-G4500 Series Please contact Moxa Technical Support for the security patch
53 TN-G6500 Series Please contact Moxa Technical Support for the security patch

Mitigations

To mitigate the risks associated with this vulnerability, we recommend the following actions:

  • Disable Moxa Service and Moxa Service (Encrypted) temporarily if they are not required for operations. This will minimize potential attack vectors until a patch or updated firmware is applied.
  • Refer to the General Security Best Practices section to further strengthen your security posture.

 

General Security Recommendations

To safeguard devices and networks, we recommend implementing the following recommendation to mitigate potential risks:

  1. Restrict Network Access
    • Use firewalls or access control lists (ACLs) to limit communication to trusted IP addresses and networks.
    • Segregate operational networks from other networks (e.g., enterprise networks) using VLANs or physical separation.
  2. Minimize Exposure
    • Avoid exposing devices directly to the Internet.
    • Disable unused network services and ports to reduce the attack surface.
  3. Enhance Device Authentication and Access Control
    • Implement multi-factor authentication (MFA) for accessing critical systems.
    • Use role-based access control (RBAC) to enforce the principle of least privilege.
  4. Regularly Update Firmware and Software
    • Keep devices updated with the latest firmware versions and security patches.
    • Establish a regular patch management schedule to address newly identified vulnerabilities.
  5. Secure Remote Access
    • Use encrypted communication protocols (e.g., VPN, SSH) for remote access.
    • Restrict remote access to authorized personnel only and enforce strong authentication mechanisms.
  6. Implement Anomaly Detection Techniques
    • Monitor network traffic and device behavior for unusual or unauthorized activities.
    • Use tools or techniques that can identify anomalies and provide alerts for potential threats.
  7. Implement Logging and Monitoring
    • Enable event logging and maintain audit trails on devices.
    • Regularly review logs for anomalies and unauthorized access attempts.
  8. Conduct Regular Security Assessments
    • Perform vulnerability assessments to identify potential risks.
    • Regularly review device configurations to ensure compliance with security policies.

 

Acknowledgement

We would like to express our appreciation to Lars Haulin for reporting the vulnerability, collaborating with us to enhance the security of our products, and helping us deliver better service to our customers.

 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First release January 17, 2025
1.1

Updated the version information of the security patch that fixes the vulnerabilities in the solution.

February 21, 2025

Relevant Products

EDS-405A Series · EDS-408A Series · EDS-505A Series · EDS-508A Series · EDS-510A Series · EDS-510E Series · EDS-516A Series · EDS-518A Series · EDS-518E Series · EDS-528E Series · EDS-608 Series · EDS-611 Series · EDS-616 Series · EDS-619 Series · EDS-G508E Series · EDS-G509 Series · EDS-G512E Series · EDS-G516E Series · EDS-P506E Series · EDS-P510 Series · EDS-P510A Series · ICS-G7526A Series · ICS-G7528A Series · ICS-G7748A Series · ICS-G7750A Series · ICS-G7752A Series · ICS-G7826A Series · ICS-G7828A Series · ICS-G7848A Series · ICS-G7850A Series · ICS-G7852A Series · IKS-6726A Series · IKS-6728A Series · IKS-G6524A Series · IKS-G6824A Series · PT-7728 Series · PT-7828 Series · PT-G503 Series · PT-G510 Series · PT-G7728 Series · PT-G7828 Series · SDS-3006 Series · SDS-3008 Series · SDS-3010 Series · SDS-3016 Series · SDS-G3006 Series · SDS-G3008 Series · SDS-G3010 Series · SDS-G3016 Series · TN-4500A Series · TN-5500A Series · TN-G4500 Series · TN-G6500 Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback