CVE-2025-1680

Summary

An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Host headers by injecting a specially crafted Host header into HTTP requests sent to an affected device’s web service. This vulnerability is classified as Host Header Injection, where invalid Host headers can manipulate to redirect users, forge links, or phishing attacks. There is no impact to the confidentiality, integrity, and availability of the affected device; no loss of confidentiality, integrity, and availability within any subsequent systems.

Affected Software

VendorProductVersion RangeStatus
MoxaTN-4500A Series1.0 <= 3.13affected
MoxaTN-4500A Series4.0unaffected
MoxaTN-5500A Series1.0 <= 3.13affected
MoxaTN-5500A Series4.0unaffected
MoxaTN-G4500 Series1.0 <= 5.5affected
MoxaTN-G4500 Series5.5.255unaffected
MoxaTN-G6500 Series1.0 <= 5.5affected
MoxaTN-G6500 Series5.5.255unaffected

Weaknesses

  • CWE-349: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References