Moxa reports significant security vulnerabilities affecting their network devices

Moxa is reporting disclosed two significant security vulnerabilities affecting their cellular routers, secure routers, and network security appliances used in industrial environments including transportation, utilities, energy, and telecommunications sectors.

The critical vulnerabilities include:

• CVE-2024-9140 (CVSS score 9.8) - OS Command Injection. Allows remote attackers to execute arbitrary code through improperly restricted command. No authentication is required for exploitation.
• CVE-2024-9138 (CVSS score 8.6) - Hard-coded credentials. Allows authenticated users to escalate privileges to root level, potentially leading to system compromise, unauthorized modifications, data exposure, or service disruption

Affected products for both vulnerabilities:

• EDR-8010 Series (firmware 3.13.1 and earlier)
• EDR-G9004 Series (firmware 3.13.1 and earlier)
• EDR-G9010 Series (firmware 3.13.1 and earlier)
• EDF-G1002-BP Series (firmware 3.13.1 and earlier)
• NAT-102 Series (firmware 1.0.5 and earlier)
• OnCell G4302-LTE4 Series (firmware 3.13 and earlier)
• TN-4900 Series (firmware 3.13 and earlier)

Additionally, CVE-2024-9138 also affects:

• EDR-810 Series (firmware 5.12.37 and earlier)
• EDR-G902 Series (firmware 5.7.25 and earlier)

Moxa has released firmware version 3.14 (released December 31, 2024) as a fix for most affected devices. For OnCell G4302-LTE4 Series and TN-4900 Series, users need to contact Moxa Technical Support for security patches. The NAT-102 Series currently has no patch available.

The company has confirmed that the following products are not affected:

• MRC-1002 Series
• TN-5900 Series
• OnCell 3120-LTE-1 Series

The number of affected devices and any financial impact has not been disclosed in the advisory.