CVE-2025-6950 in EDR-G9010info

Summary

by MITRE • 10/17/2025

An Use of Hard-coded Credentials vulnerability has been identified in Moxa’s network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/17/2025

The vulnerability described in CVE-2025-6950 represents a critical security flaw in Moxa's network security appliances and routers that stems from the improper handling of authentication mechanisms. This issue manifests as a hard-coded credential within the system's JWT signing process, creating a fundamental weakness that undermines the entire authentication framework. The implementation violates core security principles by embedding secret keys directly into the software rather than utilizing dynamic or securely managed credentials, thereby establishing a persistent backdoor that remains active across system restarts and updates.

The technical exploitation of this vulnerability occurs through the manipulation of JSON Web Tokens that are generated using the hard-coded secret key. This flaw aligns with CWE-798, which specifically addresses the use of hard-coded credentials in software implementations, and represents a direct violation of the principle of least privilege and secure credential management. Attackers can leverage this weakness to generate authentic-looking tokens without requiring legitimate credentials, effectively bypassing all authentication controls designed to protect the system. The JWT signing process becomes trivial to exploit since the secret key is publicly known through reverse engineering or system analysis.

The operational impact of this vulnerability extends far beyond simple unauthorized access, as it provides attackers with complete administrative control over affected devices. This level of compromise enables unauthorized users to modify network configurations, access sensitive network traffic, and potentially use the compromised appliances as launch points for lateral movement within the network infrastructure. The vulnerability creates a persistent threat vector that can remain undetected for extended periods, as the forged tokens appear legitimate to the system's authentication mechanisms. This compromise directly affects the confidentiality, integrity, and availability of the affected device through unauthorized modifications, data exfiltration, and potential denial-of-service conditions.

From an adversarial perspective, this vulnerability maps directly to several ATT&CK techniques including T1566 for credential harvesting and T1078 for valid accounts usage, as attackers can leverage the forged tokens to establish persistent access. The impact on network security infrastructure is particularly severe since compromised routers and appliances can provide attackers with unprecedented control over network traffic flow and access points. Organizations should implement immediate mitigations including network segmentation, monitoring for anomalous token usage patterns, and credential rotation where possible. The vulnerability underscores the critical importance of secure coding practices and proper credential management as outlined in NIST SP 800-53 security controls, particularly those related to access control and system configuration management.

Responsible

Moxa

Reservation

07/01/2025

Disclosure

10/17/2025

Moderation

accepted

CPE

ready

EPSS

0.00658

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!