CVE-2025-0415

A remote attacker with web administrator privileges can exploit the device’s web interface to execute arbitrary system commands through the NTP settings. Successful exploitation may result in the device entering an infinite reboot loop, leading to a total or partial denial of connectivity for downstream systems that rely on its network services.

CVSS

No CVSS.

References

Link	Resource
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-259491-cve-2025-0415-command-injection-leading-to-denial-of-service-(dos)

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Un atacante remoto con privilegios de administrador web puede explotar la interfaz web del dispositivo para ejecutar comandos arbitrarios del sistema a través de la configuración NTP. Una explotación exitosa puede provocar que el dispositivo entre en un bucle de reinicio infinito, lo que resulta en la denegación total o parcial de la conectividad para los sistemas posteriores que dependen de sus servicios de red.

02 Apr 2025, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-02 07:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-0415

Mitre link : CVE-2025-0415

CVE.ORG link : CVE-2025-0415

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2025-0415", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "psirt@moxa.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-02T07:15:41.720", "references": [{"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-259491-cve-2025-0415-command-injection-leading-to-denial-of-service-(dos)", "source": "psirt@moxa.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "psirt@moxa.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "A remote attacker with web administrator privileges can exploit the device\u2019s web interface to execute arbitrary system commands through the NTP settings. Successful exploitation may result in the device entering an infinite reboot loop, leading to a total or partial denial of connectivity for downstream systems that rely on its network services."}, {"lang": "es", "value": "Un atacante remoto con privilegios de administrador web puede explotar la interfaz web del dispositivo para ejecutar comandos arbitrarios del sistema a trav\u00e9s de la configuraci\u00f3n NTP. Una explotaci\u00f3n exitosa puede provocar que el dispositivo entre en un bucle de reinicio infinito, lo que resulta en la denegaci\u00f3n total o parcial de la conectividad para los sistemas posteriores que dependen de sus servicios de red."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "psirt@moxa.com"}