CVE-2024-9140
Published: 03 January 2025
Description
Moxa’s cellular routers, secure routers, and network security appliances are affected by a critical vulnerability, CVE-2024-9140. This vulnerability allows OS command injection due to improperly restricted commands, potentially enabling attackers to execute arbitrary code. This poses a significant risk to the system’s security and functionality.
Security Summary
CVE-2024-9140 is a critical OS command injection vulnerability (CWE-78) affecting Moxa's cellular routers, secure routers, and network security appliances. The flaw stems from improperly restricted commands, allowing attackers to execute arbitrary operating system commands. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.
Remote attackers require no authentication or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables arbitrary code execution, granting high-impact access to confidentiality, integrity, and availability of the affected devices, potentially leading to full control over the routers and appliances.
Moxa has published security advisory MPSA-241155 detailing the privilege escalation and OS command injection vulnerabilities, including affected products and recommended mitigations, available at https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo. Security practitioners should consult this advisory for patching instructions and workarounds.
Details
- CWE(s)