CVE-2024-9137 - Vulnerability Details

The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00171.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Moxa	Edf-g1002-bp Edr-8010 Edr-g9004 Edr-g9010 Nat-102 Oncell G4302-lte4 Tn-4900

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-50423	The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise.

Fixes

Solution

Please refer to the security advisories: * Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241154-missing-authentication-and-os-command-injection-vulnerabilities-in-routers-and-network-security-appliances * CVE-2024-9137: Missing Authentication Vulnerability in Ethernet Switches https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241156-cve-2024-9137-missing-authentication-vulnerability-in-ethernet-switches

Workaround

To mitigate the risks associated with this vulnerability, we recommend the following actions: * Disable Moxa Service and Moxa Service (Encrypted) temporarily if they are not required for operations. This will minimize potential attack vectors until a patch or updated firmware is applied. Refer to the General Security Best Practices section to further strengthen your security posture.

References

Link	Providers
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241154-missing-authentication-and-os-command-injection-vulnerabilities-in-routers-and-network-security-appliances
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241156-cve-2024-9137-missing-authentication-vulnerability-in-ethernet-switches

History

Fri, 17 Jan 2025 07:45:00 +0000

Type	Values Removed	Values Added
References		https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241156-cve-2024-9137-missing-authentication-vulnerability-in-ethernet-switches

Tue, 15 Oct 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Moxa Moxa edf-g1002-bp Moxa edr-8010 Moxa edr-g9004 Moxa edr-g9010 Moxa nat-102 Moxa oncell G4302-lte4 Moxa tn-4900
CPEs		cpe:2.3:a:moxa:edf-g1002-bp:::::::: cpe:2.3:a:moxa:edr-8010:::::::: cpe:2.3:a:moxa:edr-g9004:::::::: cpe:2.3:a:moxa:edr-g9010:::::::: cpe:2.3:a:moxa:nat-102:::::::: cpe:2.3:a:moxa:oncell_g4302-lte4:::::::: cpe:2.3:a:moxa:tn-4900::::::::
Vendors & Products		Moxa Moxa edf-g1002-bp Moxa edr-8010 Moxa edr-g9004 Moxa edr-g9010 Moxa nat-102 Moxa oncell G4302-lte4 Moxa tn-4900
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 14 Oct 2024 08:30:00 +0000

Type	Values Removed	Values Added
Description		The affected product lacks an authentication check when sending commands to the server via the Moxa service. This vulnerability allows an attacker to execute specified commands, potentially leading to unauthorized downloads or uploads of configuration files and system compromise.
Title		Moxa Service Missing Authentication for Critical Function
Weaknesses		CWE-306
References		https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241154-missing-authentication-and-os-command-injection-vulnerabilities-in-routers-and-network-security-appliances
Metrics		cvssV3_1 `{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}` cvssV4_0 `{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Moxa

Published: 2024-10-14T08:09:22.689Z

Updated: 2025-09-19T08:08:52.357Z

Reserved: 2024-09-24T07:11:35.456Z

Link: CVE-2024-9137

Vulnrichment

Updated: 2024-10-15T14:32:04.043Z

NVD

Status : Undergoing Analysis

Published: 2024-10-14T09:15:04.403

Modified: 2025-01-17T08:15:24.690

Link: CVE-2024-9137

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object