Moxa Devices Expose Hard-Coded Credentials (CVE-2025-6950)

Moxa has urgently addressed a set of five security vulnerabilities within its industrial network security appliances and routers, with one particularly severe flaw (CVE-2025-6950) posing a risk of complete system takeover by remote attackers. The company strongly recommends that all customers install the newest firmware updates without delay to protect their systems. Although there are no current reports of these vulnerabilities being actively exploited, their critical nature makes prompt patching essential.

Moxa, a Taiwan-based firm, is a leading provider of industrial communications, networking, and edge connectivity solutions designed for operational technology (OT) environments.

The resolved security issues encompass several critical weaknesses. The most serious vulnerability, CVE-2025-6950, involves a hard-coded secret key used for signing JSON Web Tokens (JWT) for authentication. This flawed implementation enables an unauthenticated individual to create counterfeit tokens, effectively bypassing all authentication measures and impersonating any user on the system. Successful exploitation can lead to a total compromise of the device, granting the attacker unauthorized access, the ability to steal sensitive data, and full administrative control.

Both CVE-2025-6950 and CVE-2025-6892 can be exploited remotely without requiring any user credentials. CVE-2025-6892 is a separate flaw in the API authentication mechanism that permits unauthorized access to protected API endpoints, including those reserved for administrative functions.

Additionally, three privilege escalation vulnerabilities were identified. CVE-2025-6893 could allow a low-privileged, authenticated user to invoke a specific API for executing privileged operations. CVE-2025-6949 might enable such a user to run the administrative “ping” function, which can be used for internal network reconnaissance. Finally, CVE-2025-6894 presents a risk where an authenticated user with basic privileges could create a new administrator account, thereby gaining full administrative control over the device.

These security flaws impact the firmware on a range of Moxa products, including the EDR Series industrial secure routers and firewalls (models EDR-G9010, EDR-8010, and EDF-G1002-BP), the TN-4900 Series of industrial Ethernet switches, the NAT-102 and NAT-108 industrial NAT devices, and the OnCell G4302-LTE4 Series of industrial cellular gateways and routers. All affected devices must be upgraded to firmware version 3.21 or a more recent release to mitigate these risks.

Beyond applying immediate firmware updates, Moxa provides several general security recommendations for customers. It is crucial to restrict network access to these devices and minimize their attack surface by ensuring they are not directly exposed to the public internet and by disabling any unused network ports or services. Organizations should also strengthen device authentication, ideally by implementing multi-factor authentication, and enforce strict access control policies based on the principle of least privilege. For remote access, secure methods like VPNs or SSH should be used exclusively. Implementing comprehensive logging, continuous monitoring for anomalies, and conducting regular security assessments are also vital practices for maintaining a robust security posture.

(Source: HelpNet Security)