OTPulse

Moxa CVE-2025-0415: Command Injection Leading to Denial-of-Service in Secure Routers, Cellular Routers, and Network Security Appliances

Plan PatchCVSS 9.2MPSA-259491Apr 2, 2025
Moxa
Summary

CVE-2025-0415 is a command injection vulnerability in Moxa secure routers, cellular routers, and network security appliances. An authenticated user with administrative privileges to the web interface can inject arbitrary system commands through NTP settings, potentially causing the device to enter an infinite reboot loop and loss of network connectivity for dependent systems.

What this means
What could happen
An attacker with admin credentials to the web interface could execute commands that crash the router into an infinite reboot loop, knocking it offline and disrupting network connectivity for all downstream devices and systems that depend on it.
Who's at risk
Network and telecommunications teams operating Moxa secure routers, cellular routers, and network security appliances used in critical infrastructure (utilities, water authorities, manufacturing) for WAN connectivity, failover, and edge network security. Any organization relying on these devices for backbone or remote site connectivity is affected.
How it could be exploited
An attacker with administrative web interface credentials accesses the router's NTP settings configuration. The attacker injects OS command syntax into the NTP parameter fields, which the device executes without proper input sanitization. The commands could trigger a reboot loop, disabling the router entirely.
Prerequisites
  • Valid administrative credentials for the web interface
  • Network access to the web management interface (port 80/443)
  • Knowledge of NTP settings parameter names
Critical CVSS score (9.2)Remotely exploitable via web interfaceHigh impact on device availabilityRequires administrative credentials but no exploit complexityAffects network backbone devices with downstream dependencies
Exploitability
Unlikely to be exploited — EPSS score 0.8%
Affected products (1)
ProductAffected VersionsFix Status
CVE-2025-0415: Command Injection Leading to Denial-of-Service in Secure Routers, Cellular Routers, and Network Security All versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDRestrict web management interface access to trusted administrative networks using firewall rules or access control lists (ACLs)
HARDENINGDisable web-based management interface if console or out-of-band management is available as an alternative
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGRequire multi-factor authentication (if supported) or stronger-than-default administrative passwords
HARDENINGMonitor device logs for unusual NTP configuration changes or reboot events that may indicate exploitation attempts
HOTFIXContact Moxa technical support to confirm whether a firmware patch is available for your specific router model and version
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate router management traffic from general network traffic
View full Moxa Security advisory
API: /api/v1/advisories/9768a4ea-c89a-42c6-a95e-b22ead74ac55

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Moxa CVE-2025-0415: Command Injection Leading to Denial-of-Service in Secure Routers, Cellular Routers, and Network Security Appliances | CVSS 9.2 - OTPulse