CVE-2025-5191 is a high-severity vulnerability classified under CWE-428 (Unquoted Search Path or Element) affecting the Moxa DRP-A100 Series industrial computers running Windows. The vulnerability arises from an unquoted path configuration in the SerialInterfaceService.exe utility. Specifically, the executable path used by the service is not enclosed in quotes, which can cause Windows to incorrectly parse the path and search for executables in directories with higher priority in the search order. A local attacker with limited privileges can exploit this by placing a malicious executable in one of these higher-priority directories. When the Serial Interface service starts, it inadvertently executes the attacker's malicious code with SYSTEM-level privileges, resulting in privilege escalation. This can allow the attacker to maintain persistence on the affected device and potentially manipulate or disrupt its operation. Although the vulnerability impacts the confidentiality, integrity, and availability of the affected device itself, it does not directly compromise downstream systems connected to it. The vulnerability has a CVSS v4.0 score of 7.3, indicating a high severity level, with attack vector local, low attack complexity, partial privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently in the wild, and no patches have been published yet. The affected version is 1.0 of the DRP-A100 Series utility.

For European organizations, especially those operating critical infrastructure or industrial environments, this vulnerability poses a significant risk. The Moxa DRP-A100 Series is used in industrial control systems (ICS) and automation, which are often integral to manufacturing, energy, transportation, and utilities sectors. Successful exploitation could allow attackers to gain SYSTEM-level control over these devices, enabling them to disrupt operations, alter device configurations, or maintain long-term persistence. This could lead to operational downtime, safety hazards, and potential regulatory non-compliance under frameworks such as NIS2 or GDPR if personal data or operational data is affected indirectly. Although the vulnerability does not propagate beyond the device itself, the compromised device could serve as a foothold for lateral movement within a network, increasing the risk of broader industrial espionage or sabotage. The local attack vector means that attackers would need some level of access to the device or network segment, which could be achieved via insider threats or through other compromised systems.

1. Immediate mitigation should focus on restricting local access to the affected devices, ensuring that only trusted administrators have physical or network-level access. 2. Implement strict application whitelisting and endpoint protection to detect and block unauthorized executables in directories that are part of the system PATH. 3. Review and harden the service startup configurations by manually verifying and correcting the executable paths to be properly quoted, preventing the unquoted search path issue. 4. Employ monitoring and alerting for unusual service restarts or execution of unknown binaries with SYSTEM privileges on these devices. 5. Network segmentation should be enforced to isolate industrial control devices from general IT networks, reducing the risk of lateral movement. 6. Engage with Moxa for official patches or updates and apply them promptly once available. 7. Conduct regular security audits and vulnerability assessments on industrial devices to identify similar configuration weaknesses. 8. Educate operational technology (OT) personnel about the risks of local privilege escalation and the importance of secure configuration management.