CVE-2018-10699

Vulnerability

The Moxa AWK-3121 wireless access point firmware version 1.14 contains a command injection vulnerability in the certfile upload functionality. The POST parameter iw_privatePass is not sanitized before being processed by the device. An attacker can inject arbitrary operating system commands by including shell metacharacters (e.g., ;, |, ` ``) in this parameter value. No authentication is required to reach this code path because the upload endpoint is exposed to network-level attackers. Affected versions include AWK-3121 firmware 1.14; earlier releases may also be vulnerable [1].

Exploitation

An attacker with network access to the device can craft a POST request to the certfile upload endpoint. The iw_privatePass parameter is the injection point; including shell metacharacters followed by arbitrary commands results in command execution as the root or system user. No prior authentication or session is required, and no user interaction on the target device is necessary. The attack can be performed by sending a single crafted HTTP request [1].

Impact

Successful exploitation gives the attacker full remote command execution on the Moxa AWK-3121 with root privileges. This leads to complete compromise of the device confidentiality, integrity, and availability. An attacker can install persistent backdoors, reconfigure the wireless network, exfiltrate sensitive data, or use the device as a pivot point to attack other network hosts [1].

Mitigation

Moxa has released firmware updates addressing this issue; users should upgrade to version 1.19 or later. If upgrading is not immediately possible, restrict network access to the administrative web interface to trusted IPs only, and disable the certfile upload functionality if not required. The AWK-3121 is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].