OTPulse

Moxa CVE-2025-0193: Stored Cross-site Scripting (XSS) Vulnerability in the MGate 5121/5122/5123 Series

MonitorCVSS 5.2MPSA-247733Jan 15, 2025
Moxa
Summary

A stored Cross-site Scripting (XSS) vulnerability exists in MGate 5121/5122/5123 Series firmware due to insufficient sanitization of user input in the "Login Message" functionality. An authenticated attacker with administrative access can inject malicious JavaScript that is stored on the device and executed in the browsers of other users accessing the login page, potentially resulting in credential theft or unauthorized system modifications.

What this means
What could happen
An authenticated admin attacker could inject malicious scripts into the login message on your MGate gateway. Those scripts would execute in the browser of any user logging in, potentially allowing the attacker to steal credentials, modify device settings, or compromise connected control systems.
Who's at risk
Water utilities, electric utilities, and other facilities operating Moxa MGate 5121/5122/5123 gateways for protocol conversion (typically connecting legacy Modbus/RTU devices to modern networks). Facilities where admin access is shared among multiple operators are at higher risk. This primarily affects the supervisory/engineering layer, not field instruments.
How it could be exploited
An attacker with administrative credentials accesses the MGate web interface, crafts malicious JavaScript in the "Login Message" field, and saves the changes. When other users (including other admins) attempt to log in, the stored script executes in their browser, potentially allowing credential capture or unauthorized system modifications.
Prerequisites
  • Administrative credentials for the MGate device
  • Network access to the MGate web interface (typically port 80/443)
  • Target user must access the login page after the payload is injected
Requires admin credentials to exploitStored payload affects multiple usersProduct is end-of-life with no vendor patch plannedAffects industrial control device at network boundary
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (1)
ProductAffected VersionsFix Status
the MGate 5121/5122/5123 SeriesAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict administrative access to the MGate web interface to a trusted network or VPN using firewall rules or the device's built-in access control
WORKAROUNDDisable web-based management on the MGate if not required; use serial console or local management instead
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor the MGate for suspicious changes to the Login Message field or unexpected script content
HARDENINGDocument and review all users with administrative access to the MGate; remove unnecessary admin accounts
View full Moxa Security advisory
API: /api/v1/advisories/0d6ac80f-6d7c-431d-896d-320cf1fade11

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Moxa CVE-2025-0193: Stored Cross-site Scripting (XSS) Vulnerability in the MGate 5121/5122/5123 Series | CVSS 5.2 - OTPulse