CVE-2025-6950: CWE-798: Use of Hard-coded Credentials in Moxa EDR-G9010 Series
An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
AI Analysis
Technical Summary
CVE-2025-6950 is a vulnerability classified under CWE-798, indicating the use of hard-coded credentials in Moxa’s EDR-G9010 Series network security appliances and routers, specifically version 1.0. The affected devices use a static, hard-coded secret key to sign JSON Web Tokens (JWTs) that authenticate users. Because the secret key is embedded in the device firmware and cannot be changed or individualized, an attacker who discovers this key can forge JWTs that appear valid to the system. This allows an unauthenticated attacker to bypass all authentication mechanisms and impersonate any user, including administrators. The vulnerability does not require any prior access, user interaction, or privileges, making it trivially exploitable remotely over the network. Once exploited, the attacker gains full administrative control over the device, enabling actions such as configuration changes, data exfiltration, and disruption of network security functions. The vulnerability’s impact is confined to the compromised device itself, with no direct compromise of connected systems. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H) reflects a critical severity rating of 9.9, highlighting the ease of exploitation and the high impact on confidentiality, integrity, and availability. No patches or mitigations have been officially released at the time of publication, and no exploits have been observed in the wild, though the risk remains significant given the device’s role in network security.
Potential Impact
For European organizations, the impact of CVE-2025-6950 is substantial due to the critical role Moxa EDR-G9010 devices play in securing industrial and enterprise networks. Successful exploitation can lead to complete compromise of the affected network security appliance, resulting in unauthorized access to network management interfaces, potential interception or manipulation of network traffic, and disruption of security controls. This can cause data breaches, operational downtime, and loss of trust in network infrastructure. Given the device’s deployment in industrial control systems (ICS), critical infrastructure, and enterprise environments, the vulnerability could facilitate lateral movement or serve as a foothold for further attacks. However, the vulnerability does not directly compromise downstream systems’ confidentiality or integrity, limiting the scope to the device itself. Still, the loss of availability or integrity of these security appliances can have cascading effects on network security posture and compliance with European data protection regulations such as GDPR. Organizations relying on these devices for perimeter or internal segmentation security face increased risk of targeted attacks and potential regulatory penalties if breaches occur.
Mitigation Recommendations
Given the absence of official patches, European organizations should immediately implement compensating controls to mitigate CVE-2025-6950. These include isolating affected devices from untrusted networks and restricting management access to trusted administrative networks only, using network segmentation and strict firewall rules. Deploy network intrusion detection/prevention systems (IDS/IPS) to monitor for anomalous JWT usage or unauthorized access attempts. Change default configurations where possible and disable remote management interfaces if not required. Employ multi-factor authentication (MFA) on adjacent systems to reduce risk from compromised devices. Monitor device logs and network traffic for signs of token forgery or suspicious activity. Engage with Moxa for firmware updates or advisories and plan for rapid deployment of patches once available. Consider replacing vulnerable devices in high-risk environments if mitigation is not feasible. Additionally, conduct thorough security assessments of network architecture to minimize exposure of critical devices. Document and rehearse incident response plans specific to device compromise scenarios to ensure rapid containment.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden, Finland
CVE-2025-6950: CWE-798: Use of Hard-coded Credentials in Moxa EDR-G9010 Series
Description
An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.
AI-Powered Analysis
Technical Analysis
CVE-2025-6950 is a vulnerability classified under CWE-798, indicating the use of hard-coded credentials in Moxa’s EDR-G9010 Series network security appliances and routers, specifically version 1.0. The affected devices use a static, hard-coded secret key to sign JSON Web Tokens (JWTs) that authenticate users. Because the secret key is embedded in the device firmware and cannot be changed or individualized, an attacker who discovers this key can forge JWTs that appear valid to the system. This allows an unauthenticated attacker to bypass all authentication mechanisms and impersonate any user, including administrators. The vulnerability does not require any prior access, user interaction, or privileges, making it trivially exploitable remotely over the network. Once exploited, the attacker gains full administrative control over the device, enabling actions such as configuration changes, data exfiltration, and disruption of network security functions. The vulnerability’s impact is confined to the compromised device itself, with no direct compromise of connected systems. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H) reflects a critical severity rating of 9.9, highlighting the ease of exploitation and the high impact on confidentiality, integrity, and availability. No patches or mitigations have been officially released at the time of publication, and no exploits have been observed in the wild, though the risk remains significant given the device’s role in network security.
Potential Impact
For European organizations, the impact of CVE-2025-6950 is substantial due to the critical role Moxa EDR-G9010 devices play in securing industrial and enterprise networks. Successful exploitation can lead to complete compromise of the affected network security appliance, resulting in unauthorized access to network management interfaces, potential interception or manipulation of network traffic, and disruption of security controls. This can cause data breaches, operational downtime, and loss of trust in network infrastructure. Given the device’s deployment in industrial control systems (ICS), critical infrastructure, and enterprise environments, the vulnerability could facilitate lateral movement or serve as a foothold for further attacks. However, the vulnerability does not directly compromise downstream systems’ confidentiality or integrity, limiting the scope to the device itself. Still, the loss of availability or integrity of these security appliances can have cascading effects on network security posture and compliance with European data protection regulations such as GDPR. Organizations relying on these devices for perimeter or internal segmentation security face increased risk of targeted attacks and potential regulatory penalties if breaches occur.
Mitigation Recommendations
Given the absence of official patches, European organizations should immediately implement compensating controls to mitigate CVE-2025-6950. These include isolating affected devices from untrusted networks and restricting management access to trusted administrative networks only, using network segmentation and strict firewall rules. Deploy network intrusion detection/prevention systems (IDS/IPS) to monitor for anomalous JWT usage or unauthorized access attempts. Change default configurations where possible and disable remote management interfaces if not required. Employ multi-factor authentication (MFA) on adjacent systems to reduce risk from compromised devices. Monitor device logs and network traffic for signs of token forgery or suspicious activity. Engage with Moxa for firmware updates or advisories and plan for rapid deployment of patches once available. Consider replacing vulnerable devices in high-risk environments if mitigation is not feasible. Additionally, conduct thorough security assessments of network architecture to minimize exposure of critical devices. Document and rehearse incident response plans specific to device compromise scenarios to ensure rapid containment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Moxa
- Date Reserved
- 2025-07-01T05:10:28.304Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68f1b8039f8a5dbaea8c0706
Added to database: 10/17/2025, 3:29:07 AM
Last enriched: 10/17/2025, 3:33:01 AM
Last updated: 10/19/2025, 9:05:18 AM
Views: 49
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-11940: Uncontrolled Search Path in LibreWolf
HighCVE-2025-11939: Path Traversal in ChurchCRM
MediumCVE-2025-11938: Deserialization in ChurchCRM
MediumResearchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices
CriticalCVE-2025-62672: CWE-770 Allocation of Resources Without Limits or Throttling in boyns rplay
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.