Critical Vulnerabilities in Moxa Routers Allow Root Privilege Escalation

Critical security vulnerabilities have been found in Moxa cellular routers and network security appliances. Learn about CVE-2024-9138 & CVE-2024-9140, including privilege escalation and OS command injection risks. Find mitigation strategies and affected products.

Moxa, an industrial networking and communications provider, has identified a critical vulnerability in its cellular routers, secure routers, and network security appliances, allowing remote attackers to gain root privileges and execute arbitrary commands, potentially leading to code execution.

In its security advisory, MPSA-241155, Moxa addresses two critical vulnerabilities, CVE-2024-9138 (8.6, high severity) and CVE-2024-9140 (9.3, critical severity), identified by Lars Haulin and found to be affecting its routers and network security appliances.

CVE-2024-9138 exploits hard-coded credentials, allowing an authenticated user to escalate privileges to the root level. This could lead to severe consequences, including system compromise, unauthorized modifications, data exposure, and service disruption.

On the other hand, CVE-2024-9140 is an OS Command Injection vulnerability, which allows attackers to exploit special characters in input to execute arbitrary commands on the system. This flaw is particularly dangerous because remote attackers can exploit it to gain unauthorized control over the device.

The advisory provides detailed information on affected products and firmware versions, along with recommended solutions such as firmware upgrades, which can be checked here.

Moxa has confirmed that the vulnerabilities do not affect the MRC-1002 Series, TN-5900 Series, and OnCell 3120-LTE-1 Series. For products without immediate firmware updates available, the advisory recommends mitigating the risks by minimizing network exposure, limiting SSH access, and implementing intrusion detection or prevention systems. Their advisory emphasizes the importance of promptly addressing these critical vulnerabilities to maintain the security and integrity of the affected device

The rise in vulnerabilities affecting routers and network security appliances in recent years demonstrates the necessity for continuous caution and proactive security measures.

Hackread recently reported VulnCheck’s discovery of a new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), stemming from a weakness in the router’s system time adjustment functionality. This flaw allowed attackers to remotely execute commands on vulnerable devices.

Censys research earlier identified 14 vulnerabilities in DrayTek Vigor routers, allowing attackers to potentially control network devices and launch further attacks. The most impacted regions included Taiwan, Vietnam, Germany, the Netherlands, and the United Kingdom.

Now the Moxa vulnerabilities, with their potential for privilege escalation and remote code execution, further highlight the rising severity of such vulnerabilities. These flaws can allow attackers to gain unauthorized control over devices, disrupt critical operations, steal sensitive data, or use compromised devices as launching points for further attacks.

Therefore, promptly addressing these vulnerabilities through firmware updates, implementing strong access controls, and regularly reviewing and updating security configurations are crucial for maintaining a secure network environment.

John Bambenek, President at Bambenek Consulting commented on the issue stating, “It has not been a good year for network devices and one of the vulnerabilities being flagged as a device having hard-coded default credentials really begs the question of how these devices end up shipped to the world with no apparent security auditing.“

“If organizations cannot patch, they should restrict inbound access to the devices themselves to prevent exploitation,“ John advised_._ “This is a reminder for ICS/OT companies to do some basic security hygiene to prevent against these and other as of yet undisclosed vulnerabilities.“

1. TheMoon Malware: 6,000 Asus Routers Hacked in 72 Hours
2. Critical Flaw Exposes Four-Faith Routers to Remote Exploitation
3. D-Link home routers plagued with multiple critical vulnerabilities