Moxa CVE-2025-1679, CVE-2025-1680: Stored Cross-site Scripting (XSS) and Host Header Injection Vulnerabilities in Ethernet Switch

Monitor4.8MPSA-257421Oct 23, 2025

Summary

Two vulnerabilities exist in Moxa Ethernet switches. CVE-2025-1679 is a stored cross-site scripting (XSS) vulnerability that allows an authenticated administrator to inject malicious scripts into the web interface; these scripts persist and execute when other administrators access the interface, potentially leading to credential theft or unauthorized configuration changes. CVE-2025-1680 is a Host Header Injection vulnerability allowing administrative attackers to manipulate HTTP Host headers, potentially used for phishing or redirection attacks against administrators interacting with the switch's web service. Both vulnerabilities require administrative privileges to exploit and have limited direct impact to device confidentiality, integrity, and availability, but can compromise the security of subsequent management interactions.

What this means

What could happen

An attacker with administrative access to a Moxa Ethernet switch could inject malicious scripts that persist in the web interface, potentially compromising the integrity of management sessions and enabling credential theft or unauthorized configuration changes from administrators.

Who's at risk

Network and OT operations teams managing Moxa Ethernet switches used in industrial networks, data center interconnects, and utility automation systems. This primarily affects administrative staff who access the switch's web-based management interface.

How it could be exploited

An attacker with admin credentials logs into the Moxa Ethernet switch web interface and injects malicious JavaScript into a form field (stored XSS). When other administrators access the same interface, the script executes in their browser, potentially stealing session cookies or credentials. CVE-2025-1680 allows the attacker to manipulate HTTP Host headers to redirect administrators or forge links during switch management.

Prerequisites

Valid administrative credentials for the Moxa Ethernet switch
Network access to the switch's web interface (typically management VLAN or OOB network)
Admin attacker with ability to insert content through the web UI

requires administrative credentialslow complexity attackaffects management interfacesno patch currently availablepersistent payload storage

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Ethernet SwitchAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict administrative access to the Moxa Ethernet switch web interface to trusted management workstations only using firewall rules or network segmentation

WORKAROUNDDisable or restrict web-based management of the switch if not actively used; use CLI or SNMP for routine operations instead

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor access logs to the switch's web interface for suspicious administrative login activity or credential misuse

HOTFIXPlan upgrade to patched firmware version when available from Moxa

CVEs (2)

CVE-2025-1679 CVE-2025-1680

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/91fb3afc-856c-4777-87fa-2f1382010aa9