CVE-2025-1679 is a stored cross-site scripting (XSS) vulnerability identified in the web management interface of Moxa TN-4500A Series Ethernet switches, specifically version 1.0. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an authenticated administrative user to inject malicious JavaScript code into the device’s web service. Because the XSS is stored, the injected scripts persist across sessions and are executed whenever other authenticated users access the affected web interface. The attack vector requires network access and administrative privileges, with no user interaction needed beyond accessing the web interface. The vulnerability does not directly compromise the device’s confidentiality, integrity, or availability but can lead to secondary impacts on confidentiality and integrity in systems accessed through the device’s management interface, such as session hijacking or credential theft of authenticated users. The CVSS 4.0 score of 4.8 reflects the medium severity, considering the requirement for high privileges and user interaction, and the limited scope of impact. No public exploits are known at this time, but the persistence of the malicious script increases risk if exploited. The lack of available patches at publication time necessitates proactive mitigation strategies. This vulnerability highlights the importance of secure input validation and sanitization in embedded device web interfaces, especially those used in industrial and critical network environments.

For European organizations, particularly those in industrial, manufacturing, energy, and critical infrastructure sectors that rely on Moxa TN-4500A Ethernet switches for network management, this vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions performed via the web interface. Although the device itself remains operational and its core functions intact, attackers exploiting this XSS could compromise the confidentiality and integrity of user sessions and potentially pivot to other systems within the network. This could lead to unauthorized access to sensitive operational data or control interfaces, undermining trust in network management systems. The impact is heightened in environments where multiple administrators access the device remotely, increasing the attack surface. Given the medium severity, the threat is moderate but should not be underestimated in environments with stringent security requirements or regulatory compliance obligations such as GDPR, NIS Directive, or sector-specific standards.

1. Restrict administrative access to the Moxa TN-4500A web interface to trusted networks and users only, using network segmentation and access control lists (ACLs). 2. Enforce strong authentication mechanisms and consider multi-factor authentication (MFA) for administrative access to reduce risk from compromised credentials. 3. Monitor administrative sessions for unusual activity and implement logging and alerting on web interface access. 4. Until an official patch is released, consider disabling the web management interface if alternative management methods (e.g., CLI via secure channels) are available. 5. Implement web application firewall (WAF) rules or intrusion detection/prevention systems (IDS/IPS) to detect and block malicious script injections targeting the device’s web interface. 6. Educate administrators on the risks of XSS and encourage cautious behavior when interacting with device management interfaces. 7. Once patches are available from Moxa, prioritize timely deployment to remediate the vulnerability. 8. Regularly review and update device firmware and software to maintain security posture.