OTPulse

Moxa CVE-2025-5191: Unquoted Search Path Vulnerability in the Utility for Industrial Computers (Windows)

MonitorCVSS 4MPSA-256421Aug 25, 2025
MoxaEnergyManufacturing
Summary

An unquoted search path vulnerability exists in SerialInterfaceService.exe, a component of the Moxa utility for industrial computers (Windows). A local attacker with limited user privileges could place a malicious executable in a higher-priority directory within the Windows search path. When the Serial Interface service starts, the malicious executable would execute with SYSTEM privileges, enabling privilege escalation or persistence. The vulnerability affects the confidentiality, integrity, and availability of the affected device but does not directly propagate to downstream systems.

What this means
What could happen
A local user with limited privileges on a Moxa industrial computer could escalate to SYSTEM-level access by placing a malicious executable in the search path, potentially compromising the entire device and any connected industrial processes it controls.
Who's at risk
Energy and manufacturing organizations using Moxa industrial computers (such as Moxa iLogik, Moxa OnCell, or similar Windows-based industrial platforms) for process monitoring, data acquisition, or equipment control should assess their exposure. This affects any Moxa utility running on Windows systems with local users present.
How it could be exploited
An attacker with local access to the industrial computer places a malicious .exe file in a directory that appears earlier in the Windows search path than where SerialInterfaceService.exe is located. When the Serial Interface service starts (either on system boot or manual restart), Windows loads the attacker's executable instead of the legitimate one, executing it with SYSTEM privileges. The attacker can then maintain persistence or pivot to compromise connected industrial devices.
Prerequisites
  • Local user account on the Moxa industrial computer (limited privileges sufficient)
  • Write access to a directory in the Windows search path (e.g., C:\Windows, Program Files, or a path earlier in the search order)
  • Ability to restart the SerialInterfaceService service or wait for system reboot
  • No credentials needed beyond local user login
No patch available (end-of-life product)Local privilege escalation to SYSTEM levelCan enable persistence on control deviceAffects confidentiality, integrity, and availability of the industrial computer itselfLow exploit complexity
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
CVE-2025-5191: Unquoted Search Path Vulnerability in the Utility for Industrial Computers (Windows)All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGIsolate or restrict physical and network access to Moxa industrial computers to trusted personnel only
HARDENINGMonitor and restrict write permissions on Windows system directories (C:\Windows, Program Files, C:\Program Files (x86)) to administrator accounts only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDConfigure SerialInterfaceService to run under a non-SYSTEM service account with minimal required privileges
Mitigations - no patch available
0/2
CVE-2025-5191: Unquoted Search Path Vulnerability in the Utility for Industrial Computers (Windows) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGEnable Windows file integrity monitoring or change auditing on critical system paths to detect unauthorized executable placement
HARDENINGRestrict local user account creation and enforce strong access controls on the industrial computer
View full Moxa Security advisory
API: /api/v1/advisories/c7d81f2f-c491-4418-8c10-f62ab91a06c2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.