CVE-2025-6894
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-6894, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-17

Last updated on: 2025-10-21

Assigner: Moxa Inc.

Description

An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authorization logic of the affected device allows an authenticated, low-privileged user to execute the administrative `ping` function, which is restricted to higher-privileged roles. This vulnerability enables the user to perform internal network reconnaissance, potentially discovering internal hosts or services that would otherwise be inaccessible. Repeated exploitation could lead to minor resource consumption. While the overall impact is limited, it may result in some loss of confidentiality and availability on the affected device. There is no impact on the integrity of the device, and the vulnerability does not affect any subsequent systems.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-17
Last Modified
2025-10-21
Generated
2026-07-06
AI Q&A
2025-10-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 9 associated CPEs
Vendor Product Version / Range
moxa edr-g9010 *
moxa network_security_appliances *
moxa edr-8010 *
moxa oncell_g4302-lte4 *
moxa nat-102 *
moxa routers *
moxa nat-108 *
moxa edf-g1002-bp *
moxa tn-4900 *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Execution with Unnecessary Privileges flaw in Moxa's network security appliances and routers. It occurs because of a flaw in the API authorization logic that allows an authenticated user with low privileges to execute the administrative 'ping' function, which should only be accessible to higher-privileged roles. This means a low-privileged user can perform internal network reconnaissance by discovering internal hosts or services that are normally restricted.

Impact Analysis

The vulnerability can impact you by allowing a low-privileged user to perform internal network reconnaissance, potentially discovering internal hosts or services that should be inaccessible. Repeated exploitation could cause minor resource consumption. Overall, it may lead to some loss of confidentiality and availability on the affected device, but it does not affect the integrity of the device or any subsequent systems.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6894. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart