CVE-2025-15017 is a vulnerability classified under CWE-489 (Active Debug Code) found in the Moxa NPort 5000AI-M12 Series serial device servers, specifically version 1.0. The issue stems from debug code that remains active on the UART interface, which is a hardware serial communication port. This debug interface is accessible without any authentication, user interaction, or execution conditions, meaning an attacker only needs physical access to the device to exploit it. By connecting directly to the UART interface, the attacker can access internal debug functionalities that allow execution of privileged operations. This can lead to unauthorized access to sensitive system resources, potentially compromising the device’s confidentiality, integrity, and availability. The vulnerability has a CVSS 4.0 base score of 7.0, indicating high severity, with attack vector being physical (AV:P), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope is unchanged, but the impact on confidentiality, integrity, and availability is high. No remote exploitation or impact on connected external systems has been reported. No patches or fixes have been provided yet, and no known exploits are currently in the wild. The vulnerability is particularly concerning in environments where physical security is insufficient, such as industrial control systems or network infrastructure using these serial device servers.

For European organizations, the impact of CVE-2025-15017 is significant in sectors relying on industrial automation, manufacturing, transportation, and critical infrastructure that utilize Moxa NPort 5000AI-M12 Series devices. Compromise of these devices can lead to unauthorized privileged access, potentially disrupting operations or leaking sensitive operational data. Although the attack requires physical access, many industrial environments have distributed devices in less secure locations, increasing risk. The vulnerability could enable attackers to manipulate device behavior, degrade system availability, or pivot to other internal systems if physical security is weak. However, since no remote exploitation is possible and no impact on external systems is identified, the threat is limited to environments with inadequate physical controls. European organizations with legacy or unpatched Moxa devices should consider this vulnerability a high risk to operational technology (OT) security and network reliability.

1. Immediately enhance physical security controls around all Moxa NPort 5000AI-M12 Series devices to prevent unauthorized physical access, including locked cabinets, surveillance, and access logging. 2. Conduct an inventory of all affected devices and isolate or restrict access to those in unsecured or publicly accessible locations. 3. Monitor device behavior and network traffic for anomalies that could indicate exploitation attempts. 4. Engage with Moxa for any forthcoming patches or firmware updates addressing this vulnerability and plan prompt deployment. 5. If possible, disable or restrict UART interface access physically or via configuration to prevent unauthorized debug access. 6. Implement strict operational procedures for maintenance personnel to ensure no unauthorized connections to device interfaces. 7. Consider network segmentation to limit the impact of compromised devices on broader network infrastructure. 8. Train staff on the risks of physical access vulnerabilities and the importance of securing industrial devices.