Critical Moxa Flaw (CVE-2025-6950, CVSS 9.9) Allows Unauthenticated Admin Takeover via Hard-Coded JWT Secret

Moxa, a leading manufacturer of industrial networking and security appliances, has released an urgent security advisory addressing five critical vulnerabilities affecting multiple product series, including EDR, EDF, TN, NAT, and OnCell devices. The flaws, tracked as CVE-2025-6892 through CVE-2025-6950, could allow attackers to bypass authentication, escalate privileges, and gain full administrative control over affected systems.

The most severe of the vulnerabilities, CVE-2025-6950, carries a CVSS score of 9.9 and stems from the use of hard-coded credentials within the authentication mechanism of Moxa’s devices.

“The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication,” the advisory explains. “This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user.”

Successful exploitation would grant attackers full administrative control over the device, enabling them to access data, alter configurations, or disable security features entirely.

“Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device,” Moxa noted.

Another critical flaw, CVE-2025-6949 (CVSS 9.3), allows a low-privileged user to create new administrator accounts, even using existing usernames.

“A critical authorization flaw in the API allows an authenticated, low-privileged user to create a new administrator account, including accounts with usernames identical to existing users,” the advisory stated.

This could enable account impersonation and device takeover, severely compromising confidentiality, integrity, and availability.

In CVE-2025-6893 (CVSS 9.3), an execution with unnecessary privileges was found in the /api/v1/setting/data endpoint.

“A flaw in broken access control allows a low-privileged authenticated user to call the API without the required permissions, thereby gaining the ability to access or modify system configuration data,” Moxa reported.

Attackers exploiting this issue could escalate privileges and modify sensitive configurations, potentially altering network rules or exposing the device to remote manipulation.

The CVE-2025-6892 (CVSS 8.7) vulnerability arises from incorrect authorization logic in the API authentication mechanism.

“A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions,” the advisory warns.

Although the attack requires a valid session, poor session validation allows threat actors to perform privileged operations once a legitimate user is logged in, without proper permission enforcement.

While rated lower in severity, CVE-2025-6894 (CVSS 5.3) still presents a potential vector for internal network reconnaissance.

“A flaw in the API authorization logic allows an authenticated, low-privileged user to execute the administrative ‘ping’ function,” Moxa explained. “This enables the user to perform internal network reconnaissance, potentially discovering internal hosts or services that would otherwise be inaccessible.”

Repeated exploitation could result in minor resource consumption or limited data exposure, but not full compromise.

Moxa confirmed that the following product lines are affected and should be updated to firmware version 3.21 or later:

Related Posts:

• Critical Vulnerability in Moxa PT Switches Allows Unauthorized Access
• Linux Kernel Vulnerability Impacts Numerous Moxa Products
• CVE-2024-9404: Remote DoS Vulnerability Found in Moxa Industrial Switches
• Moxa PT Switches Vulnerable to CVE-2024-9404 Denial-of-Service Attack
• Western Digital ‘My Cloud’ Storage Devices exist secret hard-coded backdoor