Moxa CVE-2025-5191: Unquoted Search Path Vulnerability in the Utility for Industrial Computers (Windows)
Monitor4MPSA-256421Aug 25, 2025
Summary
An unquoted search path vulnerability exists in SerialInterfaceService.exe, a utility included with Moxa industrial computers running Windows. An attacker with local access and limited user privileges could place a malicious executable in a directory within the Windows search path. When the Serial Interface service starts, the malicious file would execute with SYSTEM privileges, allowing privilege escalation and persistence on the affected computer. The impact is limited to the compromised computer; subsequent systems are not directly affected.
What this means
What could happen
A local attacker with limited privileges could run malicious code as SYSTEM, gaining control of the industrial computer and potentially disrupting monitoring or control functions that depend on this utility.
Who's at risk
Energy and manufacturing facilities using Moxa industrial computers (Windows-based) with the Serial Interface utility should assess whether this utility is in use in their automation network. The risk is highest in systems where non-administrative users have local shell access to the computer (such as engineering workstations or HMI servers).
How it could be exploited
An attacker with local access to the Windows system places a malicious executable in a directory that appears earlier in the Windows search path than the legitimate SerialInterfaceService.exe location. When the Serial Interface service starts (at system boot or service restart), the malicious file is executed with SYSTEM privileges instead of the legitimate utility.
Prerequisites
- Local access to the Windows system (physical or via RDP/remote desktop)
- Limited user privileges (non-administrator account)
- Write access to a directory in the Windows search path that is checked before the legitimate utility's directory
No authentication required for exploitationLow complexity attackNo patch currently availableLeads to privilege escalation and persistenceAffects industrial computer utility
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
CVE-2025-5191: Unquoted Search Path Vulnerability in the Utility for Industrial Computers (Windows)All versionsNo fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2HARDENINGRestrict file write permissions on directories in the Windows system search path (especially %TEMP%, %WINDIR%, and Program Files parent directories) to administrative accounts only
WORKAROUNDDisable or restrict the Serial Interface service if it is not actively required for plant operations; configure it to start only when needed
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXLocate the SerialInterfaceService.exe utility used by your Moxa industrial computers and replace it with a patched version from Moxa (contact Moxa support for availability of fixed version)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c7d81f2f-c491-4418-8c10-f62ab91a06c2