CVE-2025-6949 CRITICAL

CVE-2025-6949

Vendor Moxa
Product EDR-G9010 Series
Weakness CWE-250
Published October 17, 2025
Last update October 17, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H

What the vulnerability does

01Description

An Execution with Unnecessary Privileges vulnerability has been identified in Moxa’s network security appliances and routers. A critical authorization flaw in the API allows an authenticated, low-privileged user to create a new administrator account, including accounts with usernames identical to existing users. In certain scenarios, this vulnerability could allow an attacker to gain full administrative control over the affected device, leading to potential account impersonation. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality or integrity within any subsequent systems.

Key dates

02Disclosure timeline

October 17, 2025 CVE published
October 17, 2025 Record updated