VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 17, 2023· Updated Oct 2, 2024

Second Order Command-injection Vulnerability in the Certificate-delete Function

CVE-2023-34217

Description

TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. This vulnerability stems from insufficient input validation in the certificate-delete function, which could potentially allow malicious users to delete arbitrary files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Command injection in TN-4900/TN-5900 certificate-delete function allows arbitrary file deletion.

Vulnerability

The command-injection vulnerability exists in the certificate-delete function of TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior [1]. The root cause is insufficient input validation, which allows an attacker to inject arbitrary OS commands when deleting a certificate.

Exploitation

To exploit this vulnerability, an attacker needs authenticated access to the web interface of an affected device [1]. The attacker can craft a malicious certificate deletion request containing injected commands. No user interaction beyond the attacker's own actions is required.

Impact

Successful exploitation allows the attacker to delete arbitrary files on the device [1]. This can lead to denial of service or disruption of device functionality, potentially affecting network operations.

Mitigation

Moxa has developed firmware solutions; users should upgrade TN-4900 Series to a fixed version beyond v1.2.4 and TN-5900 Series beyond v3.3 [1]. As a workaround, minimize network exposure and use VPNs for remote access [1]. The vulnerability is not listed in CISA KEV as of the advisory date.

References
  1. TN-5900 and TN-4900 Series Web Server Multiple Vulnerabilities | Moxa

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Moxa/TN-5900 Seriesllm-fuzzy2 versions
    <=3.3+ 1 more
    • (no CPE)range: <=3.3
    • (no CPE)range: 1.0
  • Moxa/TN-4900 Seriesllm-fuzzy2 versions
    <=1.2.4+ 1 more
    • (no CPE)range: <=1.2.4
    • (no CPE)range: 1.0
  • Moxa/EDR-G9010 Seriesv5
    Range: 1.0
  • Moxa/EDR-G902cpe-rescue
    Range: 1.0
  • Moxa/Edr G903cpe-rescue
    Range: 1.0
  • Moxa/NAT-102 Seriesv5
    Range: 1.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.