CVE-2018-10702
Description
An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Moxa AWK-3121 script execution allows authenticated admin to run arbitrary OS commands via the iw_filename POST parameter.
Vulnerability
The vulnerability is present in Moxa AWK-3121 devices running firmware version 1.14. A script execution feature intended for troubleshooting accepts the POST parameter iw_filename without sanitizing shell metacharacters, enabling command injection [1]. An authenticated administrator can manipulate this parameter to inject arbitrary operating system commands.
Exploitation
An attacker must have administrative access to the device's web interface. By sending a crafted POST request to the script execution endpoint with malicious shell metacharacters (e.g., ;, |, &&, ` `) embedded in the iw_filename` parameter, the injected commands are executed in the context of the system shell [1]. No additional user interaction is required.
Impact
Successful exploitation gives the attacker full remote code execution with root-level privileges on the Moxa AWK-3121 [1]. This allows complete compromise of the device: data exfiltration, installation of persistent backdoors, denial of service, or pivoting into the internal network.
Mitigation
No official firmware patch is mentioned in the provided reference [1]. As a workaround, restrict administrative access to trusted networks only, monitor the device logs for suspicious POST requests, and contact Moxa support for the latest security updates. The device should not be exposed to untrusted networks.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Moxa/AWK-3121description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153223/Moxa-AWK-3121-1.14-Information-Disclosure-Command-Execution.htmlmitrex_refsource_MISC
- github.com/samuelhuntley/Moxa_AWK_1121/blob/master/Moxa_AWK_1121mitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.