Moxa CVE-2025-0676: Command Injection Leading to Privilege Escalation in Secure Routers, Cellular Routers, Network Security Appliances

Plan Patch8.6MPSA-251431Apr 2, 2025

Summary

CVE-2025-0676 is a command injection vulnerability in the tcpdump utility within Moxa secure routers, cellular routers, and network security appliances. An authenticated attacker with console access can inject arbitrary OS commands through improper input validation, gaining root-level privileges. Successful exploitation could allow the attacker to maintain persistent control over the device, disrupt network services, and affect downstream systems that depend on the device for connectivity.

What this means

What could happen

An authenticated attacker with console access to a Moxa secure router, cellular router, or network security appliance could inject commands into tcpdump and gain root-level control of the device, allowing them to disrupt network connectivity or manipulate traffic routing for connected systems.

Who's at risk

This affects operators of Moxa secure routers, cellular routers, and network security appliances that serve as gateways or security checkpoints in municipal networks. Water authorities and utilities using Moxa devices for remote site connectivity (SCADA networks, distributed RTU communications, or network edge security) should assess their deployments.

How it could be exploited

An attacker with valid console credentials connects to the device management interface and provides specially crafted input to the tcpdump feature that bypasses input validation, injecting arbitrary OS commands that execute with root privileges.

Prerequisites

Valid console access credentials (e.g., administrator login)
Access to the device management console or CLI
Ability to interact with tcpdump functionality on the device

High CVSS score (8.6)Privilege escalation to rootAffects network security appliancesRequires valid credentials (reduces immediate risk)Low EPSS score suggests exploitation is not yet widespread

Exploitability

Moderate exploit probability (EPSS 1.6%)

Affected products (1)

ProductAffected VersionsFix Status

CVE-2025-0676: Command Injection Leading to Privilege Escalation in Secure Routers, Cellular Routers, Network Security AAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict console access to trusted administrator accounts only and disable unused management interfaces

HARDENINGImplement strong authentication policies for console/management access and rotate credentials regularly

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Moxa technical support to obtain the latest firmware patch for your specific router model and apply it during a scheduled maintenance window

Long-term hardening

0/1

HARDENINGMonitor console access logs for suspicious authentication attempts or tcpdump command execution

CVEs (1)

CVE-2025-0676

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b6a5606e-cc07-42bd-b25a-5c5f8c72f782