Industrial networking device maker Moxa on Jan. 3 released patches for two bugs in its cellular routers, secure routers, and network security appliances, many of which operate in the critical infrastructure sector.
One of the bugs — CVE-2024-9140 — was a critical 9.3 flaw that could potentially allow a remote code execution (RCE), posing significant risk to the system’s security and communications.
The other bug — CVE-2024-9138 — was an 8.6 high-severity flaw that contained hard-coded credentials that would let an authenticated user escalate privileges and gain root-level access to the system.
According to 6sense, although Moxa has a very small market share of networking devices compared with the likes of Cisco, many of its 517 customers are in critical infrastructure sectors.
Top customers include leading industrial manufactures Siemens, KPMG, Verizon and Microsoft.
Trey Ford, chief information security officer at Bugcrowd, pointed out that Moxa’s homepage advertises network security for IT/OT convergence: clearly a highly sensitive offering.
“I'm glad they're openly publishing this advisory,” said Ford. “So many critical infrastructure sectors operate relatively soft targets, powering ICS/SCADA and OT networks that rely heavily on network isolation (air gap protections) for protection.”
Ford added that while ICS/SCADA and OT providers need to deliver more heavily tested and self-defending products, vendors offering that critical network segmentation and remote access protection face extremely high accountability for failure. Ford noted that this advisory underscores the importance of carefully testing and validating all critical suppliers and technologies — and prioritizing partnerships in vulnerability disclosures.
Mayuresh Dani, manager, security research, at the Qualys Threat Research Unit, said in analyzing these vulnerabilities, CVE-2024-9138 will allow a remote threat actor to gain root-level access and execute arbitrary code via hard-coded credentials. CVE-2024-9140 is much more dangerous, said Dani, because it allows unauthenticated execution of OS commands.
“Affected Moxa devices are normally found installed in critical industries such as transportation, utilities and energy, and telecommunications,” said Dani. “If a threat actor were to compromise Moxa's cellular routers, secure routers, or network security appliances, it would allow unabated access to internal networks and data, compromising all communications.”
