CVE-2024-9138

High

Published: 03 January 2025

Published

03 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Moxa’s cellular routers, secure routers, and network security appliances are affected by a high-severity vulnerability, CVE-2024-9138. This vulnerability involves hard-coded credentials, enabling an authenticated user to escalate privileges and gain root-level access to the system, posing a significant security risk.

Security Summary

CVE-2024-9138 is a high-severity vulnerability (CVSS 7.2, CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) affecting Moxa's cellular routers, secure routers, and network security appliances. The issue stems from hard-coded credentials (CWE-656), which allow an authenticated user to escalate privileges and obtain root-level access to the system.

An attacker with high-level privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required. Successful exploitation grants root access, enabling high-impact confidentiality, integrity, and availability compromises, such as full system control.

Moxa's security advisory (MPSA-241155) details the privilege escalation and related OS command injection vulnerabilities in the affected products, providing guidance on mitigation measures. Security practitioners should consult the advisory at https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo for patching instructions and workarounds.

Details

CWE(s): CWE-656

References

https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo
psirt@moxa.com