Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2025-6950: CWE-798: Use of Hard-coded Credentials in Moxa EDR-G9010 Series

0
Critical
VulnerabilityCVE-2025-6950cvecve-2025-6950cwe-798
Published: Fri Oct 17 2025 (10/17/2025, 03:19:48 UTC)
Source: CVE Database V5
Vendor/Project: Moxa
Product: EDR-G9010 Series

Description

An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.

AI-Powered Analysis

AILast updated: 10/17/2025, 03:33:01 UTC

Technical Analysis

CVE-2025-6950 is a vulnerability classified under CWE-798, indicating the use of hard-coded credentials in Moxa’s EDR-G9010 Series network security appliances and routers, specifically version 1.0. The affected devices use a static, hard-coded secret key to sign JSON Web Tokens (JWTs) that authenticate users. Because the secret key is embedded in the device firmware and cannot be changed or individualized, an attacker who discovers this key can forge JWTs that appear valid to the system. This allows an unauthenticated attacker to bypass all authentication mechanisms and impersonate any user, including administrators. The vulnerability does not require any prior access, user interaction, or privileges, making it trivially exploitable remotely over the network. Once exploited, the attacker gains full administrative control over the device, enabling actions such as configuration changes, data exfiltration, and disruption of network security functions. The vulnerability’s impact is confined to the compromised device itself, with no direct compromise of connected systems. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H) reflects a critical severity rating of 9.9, highlighting the ease of exploitation and the high impact on confidentiality, integrity, and availability. No patches or mitigations have been officially released at the time of publication, and no exploits have been observed in the wild, though the risk remains significant given the device’s role in network security.

Potential Impact

For European organizations, the impact of CVE-2025-6950 is substantial due to the critical role Moxa EDR-G9010 devices play in securing industrial and enterprise networks. Successful exploitation can lead to complete compromise of the affected network security appliance, resulting in unauthorized access to network management interfaces, potential interception or manipulation of network traffic, and disruption of security controls. This can cause data breaches, operational downtime, and loss of trust in network infrastructure. Given the device’s deployment in industrial control systems (ICS), critical infrastructure, and enterprise environments, the vulnerability could facilitate lateral movement or serve as a foothold for further attacks. However, the vulnerability does not directly compromise downstream systems’ confidentiality or integrity, limiting the scope to the device itself. Still, the loss of availability or integrity of these security appliances can have cascading effects on network security posture and compliance with European data protection regulations such as GDPR. Organizations relying on these devices for perimeter or internal segmentation security face increased risk of targeted attacks and potential regulatory penalties if breaches occur.

Mitigation Recommendations

Given the absence of official patches, European organizations should immediately implement compensating controls to mitigate CVE-2025-6950. These include isolating affected devices from untrusted networks and restricting management access to trusted administrative networks only, using network segmentation and strict firewall rules. Deploy network intrusion detection/prevention systems (IDS/IPS) to monitor for anomalous JWT usage or unauthorized access attempts. Change default configurations where possible and disable remote management interfaces if not required. Employ multi-factor authentication (MFA) on adjacent systems to reduce risk from compromised devices. Monitor device logs and network traffic for signs of token forgery or suspicious activity. Engage with Moxa for firmware updates or advisories and plan for rapid deployment of patches once available. Consider replacing vulnerable devices in high-risk environments if mitigation is not feasible. Additionally, conduct thorough security assessments of network architecture to minimize exposure of critical devices. Document and rehearse incident response plans specific to device compromise scenarios to ensure rapid containment.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Moxa
Date Reserved
2025-07-01T05:10:28.304Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68f1b8039f8a5dbaea8c0706

Added to database: 10/17/2025, 3:29:07 AM

Last enriched: 10/17/2025, 3:33:01 AM

Last updated: 10/19/2025, 9:05:18 AM

Views: 49

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats