Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Multiple Critical Vulnerabilities in Moxa Inc. ICS Network Appliances and Routers, Patch Immediately!
Image
Veröffentlicht : 21/10/2025
- Last update: 21/10/2025
- Affected software:
→ EDR-G9010 Series v3.14 and earlier
→ EEDR-8010 Series v3.17 and earlier
→ EEDF-G1002-BP Series v3.17 and earlier
→ ETN-4900 Series v3.14 and earlier
→ ENAT-102 Series v3.17 and earlier
→ ENAT-108 Series v3.16 and earlier
→ EOnCell G4302-LTE4 Series v3.13 and earlier- Type:
→ Incorrect Authorization
→ Execution with Unnecessary Privileges
→ Use of Hard-coded Credentials- CVE/CVSS
→ CVE-2025-6892: CVSS 8.7 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H)
→ CVE-2025-6893: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H)
→ CVE-2025-6894: CVSS 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N)
→ CVE-2025-6949: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H)
→ CVE-2025-6950: CVSS 9.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H)
Sources
Risks
Successful exploitation of vulnerabilities in Moxa industrial network appliances allows:
- CVE-2025-6892 - Incorrect Authorization: Authenticated users can access protected API endpoints beyond their privilege level, allowing unauthorized privileged operations.
- *CVE-2025-6893 - Execution with Unnecessary Privileges: Low-privileged users can modify system configuration via the /api/v1/setting/data endpoint.
- *CVE-2025-6894 - Execution with Unnecessary Privileges: Low-privileged users can execute administrative ping functions, enabling internal network reconnaissance and minor resource consumption.
- *CVE-2025-6949 - Execution with Unnecessary Privileges: Authenticated low-privileged users can create new administrator accounts, including impersonating existing users.
- *CVE-2025-6950 - Hard-coded Credentials: An unauthenticated attacker can forge valid JWTs to bypass authentication and impersonate any user.
These vulnerabilities critically affect the confidentiality, integrity, and availability of Moxa devices and connected systems. Exploitation could allow attackers to gain unauthorised administrative access, execute commands with elevated privileges, and pivot into ICS/OT networks, potentially causing operational disruption or data manipulation.
Given the combination of authenticated and unauthenticated attack vectors, there is a credible risk of attackers chaining these flaws for escalated impact.
No evidence of active exploitation has been observed.
Description
In affected firmware versions, multiple Moxa industrial network appliances suffer from several critical vulnerabilities. These flaws allow attackers to:
- Gain unauthorized administrative access via embedded credentials.
- Create or modify privileged accounts remotely.
- Execute arbitrary system commands under elevated privileges.
- Disrupt device operation, leading to denial-of-service conditions.
- Potentially pivot from the compromised device into connected ICS/OT networks, risking significant operational disruption.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
CVE - https://www.cve.org/CVERecord?id=CVE-2025-6892
CVE - https://www.cve.org/CVERecord?id=CVE-2025-6893
CVE - https://www.cve.org/CVERecord?id=CVE-2025-6894
CVE - https://www.cve.org/CVERecord?id=CVE-2025-6949
CVE - https://www.cve.org/CVERecord?id=CVE-2025-6950