CVSS: 8.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-0676 – Commend Injection Leading to Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-0676
02 Apr 2025 — This vulnerability involves command injection in tcpdump within Moxa products, enabling an authenticated attacker with console access to exploit improper input validation to inject and execute systems commands. Successful exploitation could result in privilege escalation, allowing the attacker to gain root shell access and maintain persistent control over the device, potentially disrupting network services and affecting the availability of downstream systems that rely on its connectivity. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-259491-cve-2025-0676-command-injection-leading-to-privilege-escalation • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.2EPSS: 0%CPEs: 7EXPL: 0CVE-2025-0415 – Command Injection in NTP Setting
https://notcve.org/view.php?id=CVE-2025-0415
02 Apr 2025 — A remote attacker with web administrator privileges can exploit the device’s web interface to execute arbitrary system commands through the NTP settings. Successful exploitation may result in the device entering an infinite reboot loop, leading to a total or partial denial of connectivity for downstream systems that rely on its network services. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-259491-cve-2025-0415-command-injection-leading-to-denial-of-service-(dos) • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.7EPSS: 0%CPEs: 51EXPL: 0CVE-2024-7695 – Out-of-bounds Write Vulnerability
https://notcve.org/view.php?id=CVE-2024-7695
29 Jan 2025 — Multiple switches are affected by an out-of-bounds write vulnerability. This vulnerability is caused by insufficient input validation, which allows data to be written to memory outside the bounds of the buffer. Successful exploitation of this vulnerability could result in a denial-of-service attack. This vulnerability poses a significant remote threat if the affected products are exposed to publicly accessible networks. Attackers could potentially disrupt operations by shutting down the affected systems. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-240162-cve-2024-7695-out-of-bounds-write-vulnerability-identified-in-multiple-pt-switches • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2024-12297 – Frontend Authorization Logic Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-12297
15 Jan 2025 — Moxa’s Ethernet switch EDS-508A Series, running firmware version 3.11 and earlier, is vulnerable to an authentication bypass because of flaws in its authorization mechanism. Although both client-side and back-end server verification are involved in the process, attackers can exploit weaknesses in its implementation. These vulnerabilities may enable brute-force attacks to guess valid credentials or MD5 collision attacks to forge authentication hashes, potentially compromising the security of the device. El c... • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241407-cve-2024-12297-frontend-authorization-logic-disclosure-vulnerability-in-eds-508a-series • CWE-656: Reliance on Security Through Obscurity •
CVSS: 10.0EPSS: 0%CPEs: 7EXPL: 0CVE-2024-9140
https://notcve.org/view.php?id=CVE-2024-9140
03 Jan 2025 — Moxa’s cellular routers, secure routers, and network security appliances are affected by a critical vulnerability, CVE-2024-9140. This vulnerability allows OS command injection due to improperly restricted commands, potentially enabling attackers to execute arbitrary code. This poses a significant risk to the system’s security and functionality. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.6EPSS: 0%CPEs: 10EXPL: 0CVE-2024-9138 – Privilege Escalation in Cellular Router, Secure Router, and Network Security Appliances
https://notcve.org/view.php?id=CVE-2024-9138
03 Jan 2025 — Moxa’s cellular routers, secure routers, and network security appliances are affected by a high-severity vulnerability, CVE-2024-9138. This vulnerability involves hard-coded credentials, enabling an authenticated user to escalate privileges and gain root-level access to the system, posing a significant security risk. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo • CWE-656: Reliance on Security Through Obscurity •
CVSS: 8.7EPSS: 0%CPEs: 47EXPL: 0CVE-2024-9404 – Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2024-9404
04 Dec 2024 — Moxa’s IP Cameras are affected by a medium-severity vulnerability, CVE-2024-9404, which could lead to a denial-of-service condition or cause a service crash. This vulnerability allows attackers to exploit the Moxa service, commonly referred to as moxa_cmd, originally designed for deployment. Because of insufficient input validation, this service may be manipulated to trigger a denial-of-service. This vulnerability poses a significant remote threat if the affected products are exposed to publicly accessible ... • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-240930-cve-2024-9404-denial-of-service-vulnerability-identified-in-the-vport-07-3-series • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4740 – MXsecurity Use of Hard-coded Credentials
https://notcve.org/view.php?id=CVE-2024-4740
18 Oct 2024 — MXsecurity software versions v1.1.0 and prior are vulnerable because of the use of hard-coded credentials. This vulnerability could allow an attacker to tamper with sensitive data. Las versiones v1.1.0 y anteriores del software MXsecurity son vulnerables debido al uso de credenciales codificadas. Esta vulnerabilidad podría permitir que un atacante altere datos confidenciales. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-231878-mxsecurity-series-multiple-vulnerabilities • CWE-798: Use of Hard-coded Credentials •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4739 – MXsecurity License Generation Function Disclosure
https://notcve.org/view.php?id=CVE-2024-4739
18 Oct 2024 — The lack of access restriction to a resource from unauthorized users makes MXsecurity software versions v1.1.0 and prior vulnerable. By acquiring a valid authenticator, an attacker can pose as an authorized user and successfully access the resource. La falta de restricción de acceso a un recurso por parte de usuarios no autorizados hace que las versiones v1.1.0 y anteriores del software MXsecurity sean vulnerables. Al obtener un autenticador válido, un atacante puede hacerse pasar por un usuario autorizado ... • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-231878-mxsecurity-series-multiple-vulnerabilities • CWE-749: Exposed Dangerous Method or Function •
CVSS: 8.6EPSS: 0%CPEs: 8EXPL: 0CVE-2024-9139 – OS Command Injection in Restricted Command
https://notcve.org/view.php?id=CVE-2024-9139
14 Oct 2024 — The affected product permits OS command injection through improperly restricted commands, potentially allowing attackers to execute arbitrary code. El producto afectado permite la inyección de comandos del sistema operativo a través de comandos restringidos incorrectamente, lo que potencialmente permite a los atacantes ejecutar código arbitrario. • https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241154-missing-authentication-and-os-command-injection-vulnerabilities-in-routers-and-network-security-appliances • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •