Missing Authentication for Critical Function in Moxa Ethernet Switches

Published: 2025-01-20

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2024-9137
CWE-ID	CWE-306
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	EDS-608 Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-611 Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-616 Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-619 Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-405A Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-408A Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-505A Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-508A Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-510A Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-516A Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-518A Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-G509 Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-P510 Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-P510A Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-510E Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-518E Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-528E Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-G508E Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-G512E Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-G516E Series Hardware solutions / Routers & switches, VoIP, GSM, etc EDS-P506E Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7526A Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7528A Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7748A Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7750A Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7752A Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7826A Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7828A Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7848A Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7850A Series Hardware solutions / Routers & switches, VoIP, GSM, etc ICS-G7852A Series Hardware solutions / Routers & switches, VoIP, GSM, etc IKS-G6524A Series Hardware solutions / Routers & switches, VoIP, GSM, etc IKS-6726A Series Hardware solutions / Routers & switches, VoIP, GSM, etc IKS-6728A Series Hardware solutions / Routers & switches, VoIP, GSM, etc IKS-6728A-8POE Series Hardware solutions / Routers & switches, VoIP, GSM, etc IKS-G6824A Series Hardware solutions / Routers & switches, VoIP, GSM, etc SDS-3006 Series Hardware solutions / Routers & switches, VoIP, GSM, etc SDS-3008 Series Hardware solutions / Routers & switches, VoIP, GSM, etc SDS-3010 Series Hardware solutions / Routers & switches, VoIP, GSM, etc SDS-3016 Series Hardware solutions / Routers & switches, VoIP, GSM, etc SDS-G3006 Series Hardware solutions / Routers & switches, VoIP, GSM, etc SDS-G3008 Series Hardware solutions / Routers & switches, VoIP, GSM, etc SDS-G3010 Series Hardware solutions / Routers & switches, VoIP, GSM, etc SDS-G3016 Series Hardware solutions / Routers & switches, VoIP, GSM, etc PT-7728 Series Hardware solutions / Routers & switches, VoIP, GSM, etc PT-7828 Series Hardware solutions / Routers & switches, VoIP, GSM, etc PT-G503 Series Hardware solutions / Routers & switches, VoIP, GSM, etc PT-G510 Series Hardware solutions / Routers & switches, VoIP, GSM, etc PT-G7728 Series Hardware solutions / Routers & switches, VoIP, GSM, etc PT-G7828 Series Hardware solutions / Routers & switches, VoIP, GSM, etc TN-4500A Series Hardware solutions / Routers & switches, VoIP, GSM, etc TN-5500A Series Hardware solutions / Routers & switches, VoIP, GSM, etc TN-G4500 Series Hardware solutions / Routers & switches, VoIP, GSM, etc TN-G6500 Series Hardware solutions / Routers & switches, VoIP, GSM, etc
Vendor	Moxa

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Missing Authentication for Critical Function

EUVDB-ID: #VU103041

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-9137

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing authentication check when sending commands to the server via the Moxa service. A remote attacker can execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

EDS-608 Series: 3.12

EDS-611 Series: 3.12

EDS-616 Series: 3.12

EDS-619 Series: 3.12

EDS-405A Series: 3.14

EDS-408A Series: 3.12

EDS-505A Series: 3.11

EDS-508A Series: 3.11

EDS-510A Series: 3.12

EDS-516A Series: 3.11

EDS-518A Series: 3.11

EDS-G509 Series: 3.10

EDS-P510 Series: 3.11

EDS-P510A Series: 3.11

EDS-510E Series: 5.5

EDS-518E Series: 6.3

EDS-528E Series: 6.3

EDS-G508E Series: 6.4

EDS-G512E Series: 6.4

EDS-G516E Series: 6.4

EDS-P506E Series: 5.8

ICS-G7526A Series: 5.10

ICS-G7528A Series: 5.10

ICS-G7748A Series: 5.9

ICS-G7750A Series: 5.9

ICS-G7752A Series: 5.9

ICS-G7826A Series: 5.10

ICS-G7828A Series: 5.10

ICS-G7848A Series: 5.9

ICS-G7850A Series: 5.9

ICS-G7852A Series: 5.9

IKS-G6524A Series: 5.10

IKS-6726A Series: 5.9

IKS-6728A Series: 5.9

IKS-6728A-8POE Series: 5.9

IKS-G6824A Series: 5.10

SDS-3006 Series: 3.0

SDS-3008 Series: 3.0

SDS-3010 Series: 3.0

SDS-3016 Series: 3.0

SDS-G3006 Series: 3.0

SDS-G3008 Series: 3.0

SDS-G3010 Series: 3.0

SDS-G3016 Series: 3.0

PT-7728 Series: 3.9

PT-7828 Series: 4.0

PT-G503 Series: 5.3

PT-G510 Series: 6.5

PT-G7728 Series: 6.4

PT-G7828 Series: 6.4

TN-4500A Series: 3.13

TN-5500A Series: 3.13

TN-G4500 Series: 5.5

TN-G6500 Series: 5.5

CPE2.3

External links

http://www.moxa.com/en/support/product-support/security-advisory/mpsa-241154-missing-authentication-and-os-command-injection-vulnerabilities-in-routers-and-network-security-appliances
http://www.moxa.com/en/support/product-support/security-advisory/mpsa-241156-cve-2024-9137-missing-authentication-vulnerability-in-ethernet-switches

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.