Industrial networks exposed to attack by faulty Moxa devices

News
By published

Multiple devices were found vulnerable to two flaws

An image of network security icons for a network encircling a digital blue earth.
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Moxa found two flaws affecting cellular router models, secure routers, and network security equipment
  • One of the bugs was deemed critical since it allowed for RCE
  • Patches are already available, so update now

Moxa, a global powerhouse in industrial networking, computing, and communications gear, has recently addressed two vulnerabilities impacting different cellular router models, secure routers, and network security gear.

Since one of the vulnerabilities is deemed critical, and can be abused remotely to devastating effect, Moxa urged its users to apply the fixes immediately.

In a security advisory, Moxa said it released patches for CVE-2024-9138, and CVE-2024-9140. The first one is due to hardcoded credentials, allowing threat actors to elevate privileges and gain root-level access. It was granted a severity score of 8.6, and was said to affect ten models. Those include EDR-810 Series, EDR-8010 Series, and EDR-G902 Series.

Moxa devices targeted

The second vulnerability is more severe, allowing threat actors to exploit special characters to bypass input restrictions. As a result, they could be allowed to run arbitrary commands remotely which, in turn, could lead to full device takeover.

This bug was given a severity score of 9.8 (critical), and was said to affect a somewhat smaller list of devices. Among others, it includes EDR-G9004 Series, EDR-G9010 Series, and EDF-G1002-BP Series.

Moxa released different patches for different models and firmware versions, and added that the MRC-1002 Series, TN-5900 Series, and OnCell 3120-LTE-1 Series endpoints were not vulnerable to either bug.

It also offered a set of mitigations for those unable to apply the patch immediately. These include:

  • Minimizing network exposure to ensure the device is not accessible from the Internet.
  • Limiting SSH access to trusted IP addresses and networks using firewall rules or TCP wrappers.
  • Implementing IDS or Intrusion Prevention System (IPS) to detect and prevent exploitation attempts. “These systems can provide an additional layer of defense by monitoring network traffic for signs of attacks,” the company said.

The entire list of affected endpoints can be found on this link.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
MediaTek
MediaTek reveals host of security vulnerabilities, so patch now
China
Juniper patches security flaws which could have let hackers take over your router
cables going into the back of a broadband router on white background
Netgear urges users to patch major router security issues now
Cyber-security
Juniper Session Smart routers have a critical flaw, so patch now
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Cisco patches critical security issues, so update now
A VPN runs on a mobile phone placed on a laptop keyboard
Major new online tunneling vulnerability could put millions of devices at risk
Latest in Security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Data leak
Top California sperm bank suffers embarrassing leak
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Latest in News
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect
Snapdragon G Series
Qualcomm poised to muscle in on AMD's territory with powerful gaming handheld processors
More about security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X

A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek

Fake DeepSeek installers are infecting your device with dangerous malware
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar

Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
See more latest
Most Popular
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
Data center server room lit with green lights
Microsoft is MIA as Amazon, Meta, Google and others join consortium to triple nuclear energy output by 2050
Thrustmaster Sol-R flight stick
Thrustmaster announces the Sol-R 1 and Sol-R 2 HOSAS flight sticks designed for space sims like Elite Dangerous
Image of AC Shadows cover art & Steam Deck
It's not perfect, but Assassin's Creed Shadows' performance is impressive - it runs smoothly on the Steam Deck and Asus ROG Ally
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
The new KontrolFreek Call of Duty Performance Thumbsticks on a purple background.
Exclusive: the new KontrolFreek Call of Duty Performance Thumbsticks Speed Cola Edition might be the coolest looking yet and come with a limited in-game item
David running in the desert in House of David.
Prime Video’s hit new historical drama will continue its reign for another season as House of David gets renewed
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years