OTPulse
FeedAboutContact

Moxa CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949, CVE-2025-6950: Multiple Vulnerabilities in Network Security Appliances and Routers

Monitor4MPSA-258121Oct 17, 2025
Summary

Five vulnerabilities identified in Moxa network security appliances and routers: CVE-2025-6892: Incorrect Authorization in API authentication allows unauthorized access to protected API endpoints including administrative functions after a legitimate user logs in. The system fails to properly validate session context or privilege boundaries, allowing attackers to perform unauthorized privileged operations. CVE-2025-6893: Execution with Unnecessary Privileges in /api/v1/setting/data endpoint allows low-privileged authenticated users to access or modify system configuration data without required permissions, leading to privilege escalation and access to sensitive system settings. CVE-2025-6894: Execution with Unnecessary Privileges in API authorization logic allows authenticated low-privileged users to execute administrative ping function restricted to higher-privileged roles, enabling internal network reconnaissance. CVE-2025-6949 and CVE-2025-6950: Additional vulnerabilities in network security appliances and routers (specific details not provided in advisory excerpt). All vulnerabilities affect network security appliances and routers across all versions. No patches are available from the vendor.

What this means
What could happen
An attacker with valid login credentials to a Moxa network security appliance or router could escalate privileges, modify system configurations, and perform network reconnaissance from inside the device. This could allow the attacker to bypass security controls and gather intelligence about your internal network topology.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using Moxa network security appliances or routers for perimeter security, firewall functions, or network access control. Any facility relying on these devices to protect SCADA networks, HMI systems, or process control networks is affected.
How it could be exploited
An attacker must first obtain valid credentials for a low-privileged user account (such as a monitoring or operator account) on the Moxa device. Once authenticated, the attacker can call protected API endpoints that fail to validate privilege boundaries, allowing them to escalate to administrative functions, modify configurations, or execute network reconnaissance commands without proper authorization.
Prerequisites
  • Valid low-privileged user credentials for the Moxa appliance or router
  • Network access to the device's API endpoints (typically port 443 or 8443 for HTTPS)
  • Device must have API access enabled
Low complexity exploitation after credential compromiseNo patch available from vendorAffects security appliances protecting operational networksPrivilege escalation possibleNo authentication required after initial login
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Network Security Appliances and RoutersAll versionsNo fix yet
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDImmediately review and restrict API access to the Moxa device using firewall rules or network segmentation—limit administrative API access to trusted management networks only
HARDENINGAudit all user accounts on affected Moxa devices and remove or disable unnecessary low-privileged accounts
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGEnable detailed logging and monitoring of API calls to detect unauthorized privilege escalation attempts
HOTFIXContact Moxa support regularly to check for availability of security patches for CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949, and CVE-2025-6950
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate management interfaces and API endpoints from untrusted networks
View full Moxa Security advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/361ad53b-9a8e-4f4c-b43c-d3faa3a6a50e