CVE-2025-1680 | THREATINT

Description

An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Host headers by injecting a specially crafted Host header into HTTP requests sent to an affected device’s web service. This vulnerability is classified as Host Header Injection, where invalid Host headers can manipulate to redirect users, forge links, or phishing attacks. There is no impact to the confidentiality, integrity, and availability of the affected device; no loss of confidentiality, integrity, and availability within any subsequent systems.

PUBLISHED Reserved 2025-02-25 | Published 2025-10-23 | Updated 2025-10-23 | Assigner Moxa

Problem types

CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

Product status

Default status

unaffected

1.0 (custom)

affected

4.0 (custom)

unaffected

Default status

unaffected

1.0 (custom)

affected

4.0 (custom)

unaffected

Default status

unaffected

1.0 (custom)

affected

5.5.255 (custom)

unaffected

Default status

unaffected

1.0 (custom)

affected

5.5.255 (custom)

unaffected

Credits

Aarón Flecha Menéndez finder

Víctor Bello Cuevas finder

References

www.moxa.com/...and-host-header-injection-vulnerabilities-in vendor-advisory

www.hackrtu.com/blog/cg-technical-en-003/ technical-description

cve.org (CVE-2025-1680)

nvd.nist.gov (CVE-2025-1680)

Download JSON