CVE-2019-5140

Name of the Vulnerable Software and Affected Versions Moxa AWK-3131A firmware version 1.13

Description The issue exists due to the lack of neutralization of special elements used in an operating system command. This allows for a command injection vulnerability in the iwwebs functionality, where a specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iwsystem call. As a result, an attacker can gain remote control over the device by sending commands while authenticated as a low-privilege user.

Recommendations For Moxa AWK-3131A firmware version 1.13, consider disabling the iwsystem call or restricting access to the diagnostic script functionality until a patch is available. Additionally, limit the privileges of low-privilege users to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.