CVE-2025-1977 is a vulnerability classified under CWE-250 (Execution with Unnecessary Privileges) affecting Moxa NPort 6100-G2 and 6200-G2 Series serial device servers. These devices are commonly used to connect serial devices to Ethernet networks in industrial and critical infrastructure environments. The flaw allows an authenticated user with only read-only access privileges to escalate their permissions and perform unauthorized configuration changes through the Moxa CLI Configuration (MCC) tool. The attack can be executed remotely over the network without requiring user interaction, and with low complexity, although it depends on certain system conditions or configurations being present. This means that an attacker who has limited access credentials could manipulate device settings, potentially disrupting device operation or exposing sensitive configuration data. The vulnerability impacts confidentiality, integrity, and availability of the affected devices but does not extend to other connected systems. The CVSS 4.0 base score of 7.7 reflects the high severity due to network accessibility, low attack complexity, and significant impact on device security. No known public exploits or patches have been reported at the time of publication, indicating that organizations must rely on compensating controls until a fix is available.

For European organizations, especially those in industrial automation, manufacturing, energy, transportation, and critical infrastructure sectors that deploy Moxa NPort 6100-G2/6200-G2 Series devices, this vulnerability poses a significant risk. Unauthorized configuration changes could lead to device misconfiguration, operational disruption, or exposure of sensitive operational data. Given the devices' role as gateways between serial equipment and IP networks, exploitation could undermine the security posture of operational technology (OT) environments, potentially causing downtime or safety incidents. Confidentiality breaches could expose sensitive industrial control parameters, while integrity violations could allow attackers to alter device behavior. Availability impacts could disrupt critical communication channels. Since the vulnerability requires authenticated access, insider threats or compromised credentials are primary risk vectors. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in environments where these devices are widely deployed and network access is possible.

1. Restrict network access to the management interfaces of Moxa NPort 6100-G2/6200-G2 devices using network segmentation and firewall rules to limit exposure only to trusted administrators. 2. Enforce strong authentication mechanisms and credential management to prevent unauthorized access, including regular password changes and multi-factor authentication if supported. 3. Monitor device logs and network traffic for unusual configuration changes or access patterns indicative of exploitation attempts. 4. Review and tighten user role assignments to ensure that read-only users cannot access configuration tools or escalate privileges. 5. Apply any available firmware updates or patches from Moxa as soon as they are released. 6. If patches are not yet available, consider disabling or restricting the MCC tool usage or management protocols that allow configuration changes. 7. Conduct regular security audits and vulnerability assessments on OT devices to detect and remediate misconfigurations. 8. Implement intrusion detection systems tailored for OT networks to identify anomalous behavior related to device configuration changes.