Critical Hard-Coded JWT Secret Vulnerability in Moxa Network Security Appliances (CVE-2025-6950)
A critical security vulnerability, tracked as CVE-2025-6950, has been identified in Moxa network security appliances and routers, allowing unauthenticated attackers to gain administrative access via a hard-coded JWT secret. The flaw, which carries a CVSS score of 9.9, stems from the use of a hard-coded secret key for signing JSON Web Tokens (JWT) used in the authentication process. This insecure implementation enables attackers to forge valid JWTs without any prior authentication, effectively bypassing all access controls. As a result, an attacker can impersonate any user, including administrators, and obtain full control over the affected device. Exploitation of this vulnerability can lead to unauthorized access, data theft, and complete system compromise. The vulnerability is remotely exploitable, significantly increasing the risk to organizations deploying these devices in critical network environments. According to the available reports, there is no evidence that exploitation of this flaw leads to loss of confidentiality or integrity in systems beyond the affected device itself. The vulnerability was disclosed by Moxa’s Product Security Incident Response Team (PSIRT) and has been publicly documented in multiple security advisories. Security researchers emphasize the severity of the issue due to the ease of exploitation and the potential impact on industrial and enterprise networks. The affected products include a range of Moxa network security appliances and routers, though specific model versions have not been detailed in the public advisories. Organizations using these devices are urged to review their deployments and apply any available patches or mitigations as soon as possible. The vulnerability was published and last updated on October 17, 2025, highlighting the need for immediate attention from network administrators. The flaw is distinct from other recent privilege escalation vulnerabilities in Moxa products, as it allows for unauthenticated, rather than authenticated, administrative takeover. Security experts recommend monitoring for signs of unauthorized access and reviewing authentication logs for suspicious activity. The use of hard-coded credentials is a well-known security anti-pattern, and this incident underscores the importance of secure key management in authentication systems. Moxa has been notified and is expected to release further guidance and remediation steps. Until patches are available, organizations should consider network segmentation and access restrictions to limit exposure. The incident has raised concerns about the security of industrial control systems and the potential for similar flaws in other embedded network devices. The vulnerability’s critical rating and remote exploitability make it a high-priority issue for all organizations relying on Moxa network security appliances.
Timeline
Oct 17, 2025
Moxa publishes remediation guidance for affected appliances and routers
Alongside the disclosure, Moxa referenced a security advisory with remediation guidance, including applying vendor updates, removing hard-coded credentials, implementing secure JWT signing, and re-authenticating users. The issue was rated Critical with a CVSS v4.0 score of 9.9.
Oct 17, 2025
Moxa discloses critical JWT hard-coded credential flaw as CVE-2025-6950
Moxa PSIRT disclosed CVE-2025-6950, a critical vulnerability in Moxa network security appliances and routers caused by a hard-coded JWT signing secret. The flaw allows unauthenticated remote attackers to forge valid tokens, bypass authentication, impersonate users including administrators, and potentially fully compromise affected devices.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Moxa Product Flaws Enable Privilege Escalation and Security Policy Bypass
CERT-FR published two advisories covering vulnerabilities in **Moxa** products, warning that the flaws could let attackers **escalate privileges** and undermine core security controls. One notice said successful exploitation could also affect **data confidentiality** and **data integrity**, raising concern for industrial and networked environments where Moxa equipment is commonly deployed. A separate CERT-FR notice reported another Moxa vulnerability that could allow an attacker to **bypass the security policy**. The advisories did not provide further technical details in the referenced content, including affected models, `CVE` identifiers, or specific remediation steps, leaving organizations to monitor vendor and national CERT guidance closely for product impact and patch information.
1 weeks ago
Moxa Industrial Ethernet Switches Affected by OpenSSH `ssh-agent` RCE (CVE-2023-38408)
Moxa issued guidance for a **critical remote code execution (RCE)** risk affecting multiple *industrial Ethernet switch* lines due to **CVE-2023-38408** in the OpenSSH `ssh-agent` PKCS#11 feature (OpenSSH versions prior to `9.3p2`). The flaw is described as an **unreliable/unquoted search path** issue (CWE-428) and is characterized as an incomplete fix related to **CVE-2016-10009**; exploitation can lead to full device compromise impacting confidentiality, integrity, and availability, with a reported **CVSS 3.1 score of 9.8**. Impacted products include Moxa **EDS** series switches (e.g., `EDS-G4000`, `EDS-4008/4009/4012/4014`, `EDS-G4008/G4012/G4014`) running **firmware `v4.1` or earlier**, and **RKS** series switches (e.g., `RKS-G4000`, `RKS-G4028`, `RKS-G4028-L3`) running **firmware `v5.0` or earlier**. Moxa’s remediation requires obtaining patches via **Moxa Technical Support** rather than public download; the cited target versions are **`4.1.58`** for EDS and **`5.0.4`** for RKS. Until updates can be applied, recommended mitigations include restricting network access (e.g., firewalls/ACLs) and segmenting OT networks (e.g., VLAN separation) to limit exposure.
1 months ago
Hardcoded Secrets Enable Authentication Bypass in Open-Source Infrastructure (RustFS and Open5GS WebUI)
Two critical hardcoded-secret weaknesses were disclosed in widely used open-source infrastructure components, enabling attackers to bypass authentication and obtain administrative control when exposed or left at insecure defaults. In **RustFS** (an object storage platform often used for backups, logs, and operational data), **CVE-2025-68926** (CVSS 9.8) stems from a *non-rotatable static authentication token* embedded in source code on both client and server sides; an attacker with access to the exposed **gRPC management port** can use the known token to bypass authentication and gain admin access, creating risk of data integrity loss and service disruption. In **Open5GS** (an open-source 5G core implementation), **CVE-2026-0622** affects the optional *WebUI* management interface and arises from default **hardcoded cryptographic secrets** used for **JWT signing**. If operators do not change the default environment variables (reportedly set to `change-me`), an attacker can forge valid JWTs, impersonate an administrator, and gain full WebUI privileges—potentially including configuration and subscriber-data management—while also bypassing controls that rely on authenticated context (e.g., CSRF protections).
1 months ago