CVE-2025-1977 in NPort 6100-G2
Summary
by MITRE • 12/31/2025
The NPort 6100-G2/6200-G2 Series is affected by an execution with unnecessary privileges vulnerability (CVE-2025-1977) that allows an authenticated user with read-only access to perform unauthorized configuration changes through the MCC (Moxa CLI Configuration) tool. The issue can be exploited remotely over the network with low-attack complexity and no user interaction but requires specific system conditions or configurations to be present. Successful exploitation may result in changes to device settings that were not intended to be permitted for the affected user role, potentially leading to a high impact on the confidentiality, integrity, and availability of the device. No impact on other systems has been identified.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/02/2026
The vulnerability identified as CVE-2025-1977 affects the NPort 6100-G2 and 6200-G2 series industrial network devices, representing a critical privilege escalation flaw within the Moxa CLI Configuration tool. This issue stems from inadequate access control mechanisms that permit authenticated users with read-only permissions to execute unauthorized configuration modifications, fundamentally undermining the principle of least privilege that forms the cornerstone of secure system design. The vulnerability manifests through the MCC tool interface, which should enforce strict role-based access controls but fails to properly validate user permissions during configuration operations, creating a dangerous gap between assigned privileges and actual system capabilities.
The technical exploitation of this vulnerability requires an authenticated user who already possesses read-only access to the device, yet the flaw allows this user to bypass normal permission boundaries and modify system settings that should remain restricted to administrators or higher-privileged roles. This represents a classic case of insufficient authorization checks, which aligns with CWE-285, specifically addressing issues related to insufficient authorization within software systems. The attack complexity is rated as low since no additional user interaction is required beyond initial authentication, and the exploitation can occur remotely over the network, making it particularly concerning for industrial environments where network accessibility is often extensive. The vulnerability's remote exploitability over the network interface directly maps to ATT&CK technique T1105, which covers remote service execution and command injection scenarios.
The operational impact of successful exploitation extends beyond simple configuration changes, potentially compromising the device's confidentiality, integrity, and availability through unauthorized modifications to critical network parameters, security settings, and operational configurations. An attacker could alter network protocols, modify access controls, adjust communication parameters, or disable security features, all while maintaining the appearance of normal read-only operations. This capability creates a persistent threat vector that could allow attackers to establish backdoors, redirect traffic, or disable monitoring functions, effectively compromising the device's operational integrity. The vulnerability's potential to affect device availability is particularly severe in industrial settings where these network devices often serve as critical communication endpoints for control systems, making the impact potentially catastrophic for operational technology environments.
Mitigation strategies must address both immediate operational concerns and long-term security posture improvements. Organizations should implement immediate network segmentation to isolate affected devices from critical systems and limit the attack surface. The most effective immediate solution involves applying firmware updates from Moxa that correct the access control validation mechanisms within the MCC tool, ensuring proper privilege enforcement. Additionally, network administrators should implement strict monitoring of configuration changes and establish baseline configurations to detect unauthorized modifications. The principle of least privilege should be enforced through careful review of user access rights, ensuring that read-only users cannot perform configuration changes. Organizations should also consider implementing network access control lists to restrict access to the device management interfaces, and deploy intrusion detection systems to monitor for anomalous configuration change patterns. Regular security audits of industrial control systems should be conducted to identify similar privilege escalation vulnerabilities, as this type of flaw represents a common weakness in OT environments where legacy security models may not adequately protect against modern attack vectors.