Moxa Product Security Update Advisory (CVE-2024-9137, CVE-2024-9139)
Overview
An update has been released to address vulnerabilities in Moxa Products. Users of the affected versions are advised to update to the latest version.
Affected Products
CVE-2024-9137, CVE-2024-9139
- EDR-8010 Series versions: ~ 3.12.1 (inclusive)
- EDR-G9004 Seires versions: ~ 3.12.1 (inclusive)
- EDR-G9010 Series versions: ~ 3.12.1 (inclusive)
- EDR-G1002-BP Series versions: ~ 3.12.1 (inclusive)
- NAT-102 Series versions: ~ 1.0.5 (inclusive)
- OnCell G4302-LTE4 Series versions: ~ 3.9 (inclusive)
- TN-4900 Series versions: ~ 3.6 (inclusive)
Resolved Vulnerabilities
No authentication check when sending commands to the server via the Moxa service, which could allow an attacker to execute specified commands to compromise the system via unauthorized download or upload of configuration files (CVE-2024-9137)
Vulnerability allowing OS command injection via improperly restricted commands, which could allow an attacker to execute arbitrary code (CVE-2024-9139)
Vulnerability Patches
The following product-specific Vulnerability Patches are available in the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-9137, CVE-2024-9139
- EDR-8010 Series version: 3.13
- EDR-G9004 Seires version: 3.13
- EDR-G9010 Series version: 3.13
- EDR-G1002-BP Series version: 3.13
- NAT-102 Series version: Refer to the References[4] for the patch version.
- OnCell G4302-LTE4 Series version: 3.13
- TN-4900 Series version: 3.13
References
[1] CVE-2024-9137 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-9137
[2] CVE-2024-9139 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-9139
[3] Security Advisories
[4] Moxa Technical Support
https://www.moxa.com/en/membership/sign-in?returnurl=%2fen%2fsupport%2ftechnical-support