CVE-2025-1679
BaseFortify
Publication date: 2025-10-23
Last updated on: 2025-10-27
Assigner: Moxa Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moxa | ethernet_switch | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-1679 is a stored cross-site scripting (XSS) vulnerability in Moxa Ethernet switches. It allows an authenticated administrative attacker to inject malicious scripts into the device's web service, which persist across sessions. These scripts can then execute in the browsers of authenticated users interacting with the device's web interface, potentially leading to theft of cookies, session tokens, keylogging, or manipulation of the web interface content. The vulnerability requires administrative privileges and user interaction to exploit. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious scripts that execute in the browsers of authenticated users accessing the device's web interface. This can lead to theft of sensitive information such as cookies or session tokens, keylogging, and defacement or manipulation of the web interface. While there is no direct impact on the device's confidentiality, integrity, or availability, there can be some loss of confidentiality and integrity in subsequent systems that interact with the device. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-1679 involves monitoring for anomalous or unexpected script injections in the web interface of affected Moxa Ethernet switches. Since the vulnerability requires authenticated administrative access and user interaction, detection can include reviewing web server logs and event logs for suspicious input or script payloads. Network traffic monitoring for unusual HTTP requests to the device's web service may help identify exploitation attempts. Specific commands are not provided in the resources, but general recommendations include enabling event logging, audit trails, and regularly reviewing logs for anomalies. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: restricting network access to the affected devices using firewalls and access control lists (ACLs) to trusted IP addresses; segregating operational networks from enterprise networks using VLANs or physical separation; avoiding direct exposure of devices to the Internet; disabling unused services and ports; implementing multi-factor authentication (MFA) and role-based access control (RBAC); regularly updating firmware and applying security patches provided by Moxa (e.g., updating TN-4500A and TN-5500A series to firmware v4.0 or later, and applying security patch v5.5.255 for TN-G4500 and TN-G6500 series); using encrypted protocols such as VPN or SSH for remote access and restricting access to authorized personnel; monitoring network traffic and device behavior for anomalies; enabling event logging and audit trails and regularly reviewing logs; and conducting regular vulnerability assessments and configuration reviews. [1, 2]