Other information and services of the government: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Multiple Critical Vulnerabilities in Moxa Inc. ICS Network Appliances and Routers, Patch Immediately!

Image
Decorative image
Published : 05/02/2026

    * Last update:  05/02/2026
   
    * Affected products:
         → EDR-G9010 Series v3.14 and earlier
         → EDR-8010 Series v3.17 and earlier
         → EDF-G1002-BP Series v3.17 and earlier
         → TN-4900 Series v3.14 and earlier
         → NAT-102 Series v3.17 and earlier
         → NAT-108 Series v3.16 and earlier
         → OnCell G4302-LTE4 Series v3.13 and earlier

    * Type: Incorrect Authorization, Execution with Unnecessary Privileges, Use of Hard-coded Credentials

    * CVE/CVSS:

  • CVE-2025-6892: CVSS 8.7 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H)
  • CVE-2025-6893: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H)
  • CVE-2025-6894: CVSS 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N)
  • CVE-2025-6949: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H)
  • CVE-2025-6950: CVSS 9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H)

Sources

Moxa

Risks

Successful exploitation of vulnerabilities in Moxa industrial network appliances allows:
 

  • CVE-2025-6892 - Incorrect Authorization: Authenticated users can access protected API endpoints beyond their privilege level, allowing unauthorized privileged operations.
  • CVE-2025-6893 -  Execution with Unnecessary Privileges: Low-privileged users can modify system configuration via the /api/v1/setting/data endpoint.
  • CVE-2025-6894 - Execution with Unnecessary Privileges: Low-privileged users can execute administrative ping functions, enabling internal network reconnaissance and minor resource consumption.
  • CVE-2025-6949 - Execution with Unnecessary Privileges: Authenticated low-privileged users can create new administrator accounts, including impersonating existing users.
  • CVE-2025-6950 - Hard-coded Credentials: An unauthenticated attacker can forge valid JWTs to bypass authentication and impersonate any user.

These vulnerabilities critically affect the confidentiality, integrity, and availability of Moxa devices and connected systems. Exploitation could allow attackers to gain unauthorised administrative access, execute commands with elevated privileges, and pivot into ICS/OT networks, potentially causing operational disruption or data manipulation.

Given the combination of authenticated and unauthenticated attack vectors, there is a credible risk of attackers chaining these flaws for escalated impact.

Description

In affected firmware versions, multiple Moxa industrial network appliances suffer from several critical vulnerabilities. These flaws allow attackers to:

  • Gain unauthorized administrative access via embedded credentials.
  • Create or modify privileged accounts remotely.
  • Execute arbitrary system commands under elevated privileges.
  • Disrupt device operation, leading to denial-of-service conditions.
  • Potentially pivot from the compromised device into connected ICS/OT networks, risking significant operational disruption.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

CVE.org