Moxa CVE-2025-1679, CVE-2025-1680: Stored Cross-site Scripting (XSS) and Host Header Injection Vulnerabilities in Ethernet Switch

MonitorCVSS 4.8MPSA-257421Oct 23, 2025

TraneMoxa

Summary

Two vulnerabilities have been identified in Moxa Ethernet switches: CVE-2025-1679: Stored Cross-Site Scripting (XSS) in the web service. An authenticated administrative attacker can inject malicious scripts that persist across sessions. These scripts execute when other authenticated users interact with the device's web interface, potentially compromising the confidentiality and integrity of subsequent systems that trust the web interface data. CVE-2025-1680: Host Header Injection in the web service. An attacker with administrative privileges can manipulate HTTP Host headers in requests to the affected device. This can be exploited to redirect users, forge links, or conduct phishing attacks.

What this means

What could happen

An attacker with administrative credentials could inject malicious scripts or forge HTTP headers in the Ethernet switch's web interface, potentially redirecting network administrators or compromising the integrity of management traffic. However, these vulnerabilities do not directly affect the switch's core switching operations or packet forwarding functions.

Who's at risk

This affects network operators and IT staff who manage Moxa Ethernet switches in industrial and critical infrastructure environments, including water utilities, power distribution, and manufacturing facilities. Anyone with administrative access to the switch's web interface and any other administrators who subsequently log in are at risk. The vulnerability has limited impact on actual network switching operations but poses a risk to the integrity of administrative communications.

How it could be exploited

An attacker who already has administrative access to the Moxa Ethernet switch's web management interface could inject a malicious script or specially crafted HTTP Host header. When other authorized administrators access the web interface to manage the switch, the persistent XSS payload executes in their browser, or the Host header injection redirects them to a phishing site or malicious server. The attacker must have already obtained valid administrative credentials to exploit these vulnerabilities.

Prerequisites

Valid administrative credentials for the Moxa Ethernet switch web management interface
Network access to the switch's web management service (typically HTTP/HTTPS, port 80 or 443)
For exploitation: the victim (another admin) must access the web interface after the payload is injected

Requires administrative credentialsStored payload persistence across sessionsAffects management interface (not data plane)Low EPSS score (0.1%)No patch available

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Ethernet SwitchAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict administrative access to the Ethernet switch's web management interface to authorized personnel only; use firewall rules or network segmentation to limit access from trusted engineering workstations

HARDENINGEnforce strong, unique administrative credentials on all Moxa Ethernet switches; change default credentials immediately if not already done

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGMonitor administrative access logs on affected switches for signs of unauthorized credential use or suspicious activity

HOTFIXPlan to upgrade to a patched firmware version when made available by Moxa; schedule this update in a maintenance window

WORKAROUNDIf administrative access is not required for normal operations, disable or restrict the web management interface and manage the switch via CLI or SNMP from a secured network segment

CVEs (2)

CVE-2025-1679 CVE-2025-1680

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/91fb3afc-856c-4777-87fa-2f1382010aa9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.