CVE-2024-9137

EUVD-2024-50423
The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.4 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
moxaedr-g9010
1.0 ≤
𝑥
≤ 3.12.1
ADP
moxanat-102
1.0 ≤
𝑥
≤ 1.0.5
ADP
moxatn-4900
1.0 ≤
𝑥
≤ 3.6
ADP
moxaoncell_g4302-lte4
1.0 ≤
𝑥
≤ 3.9
ADP
moxaedf-g1002-bp
1.0 ≤
𝑥
≤ 3.12.1
ADP
moxaedr-g9004
1.0 ≤
𝑥
≤ 3.12.1
ADP
moxaedr-8010
1.0 ≤
𝑥
≤ 3.12.1
ADP
Common Weakness Enumeration
References
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241154-missing-authentication-and-os-command-injection-vulnerabilities-in-routers-and-network-security-appliances
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241156-cve-2024-9137-missing-authentication-vulnerability-in-ethernet-switches