VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 17, 2023· Updated Oct 8, 2024

Second Order Command-injection Vulnerability in the Key-delete Function

CVE-2023-34216

Description

TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. This vulnerability derives from insufficient input validation in the key-delete function, which could potentially allow malicious users to delete arbitrary files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in TN-4900/5900 key-delete function allows unauthenticated attackers to delete arbitrary files.

Vulnerability

A command-injection vulnerability exists in the key-delete function of Moxa TN-4900 Series firmware versions v1.2.4 and prior, and TN-5900 Series firmware versions v3.3 and prior. The flaw arises from insufficient input validation, enabling attackers to inject operating system commands. The affected product series are explicitly listed in the advisory [1].

Exploitation

An attacker can exploit this vulnerability without authentication by sending crafted input to the key-delete function over the network. No special privileges or user interaction are required. The advisory notes the vulnerability is accessible through the web server interface, allowing remote exploitation [1].

Impact

Successful exploitation allows an attacker to delete arbitrary files on the device. This can lead to denial of service or disruption of critical system operations. The vulnerability affects the confidentiality, integrity, and availability of the device [1].

Mitigation

Moxa has released firmware updates to address the vulnerability. Affected users should update TN-4900 Series to firmware version v1.2.5 or later, and TN-5900 Series to firmware version v3.4 or later. Until patching is possible, Moxa recommends minimizing network exposure and using VPNs for remote access [1].

References
  1. TN-5900 and TN-4900 Series Web Server Multiple Vulnerabilities | Moxa

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Moxa/TN-5900 Seriesllm-fuzzy2 versions
    <=3.3+ 1 more
    • (no CPE)range: <=3.3
    • (no CPE)range: 1.0
  • Moxa/TN-4900 Seriesllm-fuzzy2 versions
    <=1.2.4+ 1 more
    • (no CPE)range: <=1.2.4
    • (no CPE)range: 1.0
  • Moxa/EDR-G9010 Seriesv5
    Range: 1.0
  • Moxa/EDR-G902cpe-rescue
    Range: 1.0
  • Moxa/Edr G903cpe-rescue
    Range: 1.0
  • Moxa/NAT-102 Seriesv5
    Range: 1.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.