CVE-2025-1977
📋 TL;DR
CVE-2025-1977 allows authenticated users with read-only access to perform unauthorized configuration changes on Moxa NPort 6100-G2/6200-G2 Series devices using the MCC tool. This privilege escalation vulnerability can be exploited remotely over the network with low complexity, potentially allowing attackers to modify device settings beyond their intended permissions. Organizations using these specific Moxa serial device servers are affected.
💻 Affected Systems
- Moxa NPort 6100-G2 Series
- Moxa NPort 6200-G2 Series
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with read-only credentials could reconfigure critical device settings, potentially disrupting industrial operations, enabling further network access, or compromising connected systems through manipulated serial communications.
Likely Case
Unauthorized users modify network settings, security configurations, or serial port parameters, leading to service disruption or loss of device integrity.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated devices without affecting broader operations.
🎯 Exploit Status
Exploitation requires authenticated access but has low attack complexity. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Moxa advisory for specific firmware versions
Restart Required: Yes
Instructions:
1. Review Moxa security advisory MPSA-251731. 2. Download latest firmware from Moxa website. 3. Backup current configuration. 4. Apply firmware update via web interface or MCC tool. 5. Verify update and restore configuration if needed.
🔧 Temporary Workarounds
Restrict Network Access
allLimit access to NPort devices to trusted networks only
Enforce Least Privilege
allReview and minimize user accounts with access to NPort devices
🧯 If You Can't Patch
- Segment NPort devices on isolated network segments
- Implement strict access controls and monitor for unauthorized configuration changes
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or MCC tool and compare against patched versions in Moxa advisoryCheck Version:
Use MCC tool or web interface to check firmware versionVerify Fix Applied:
Verify firmware version matches patched version from Moxa advisory and test that read-only users cannot perform configuration changes📡 Detection & Monitoring
Log Indicators:
- Unauthorized configuration changes in device logs
- Login attempts from unexpected sources
- MCC tool access from read-only accounts
Network Indicators:
- Unexpected configuration traffic to NPort devices
- MCC protocol usage from unauthorized IPs
SIEM Query:
Search for 'configuration change' events from NPort devices where user role is 'read-only'