CVE-2025-1680

23.10.2025, 14:15

An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxas Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Host headers by injecting a specially crafted Host header into HTTP requests sent to an affected devices web service. This vulnerability is classified as Host Header Injection, where invalid Host headers can manipulate to redirect users, forge links, or phishing attacks. There is no impact to the confidentiality, integrity, and availability of the affected device; no loss of confidentiality, integrity, and availability within any subsequent systems.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Moxa	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Common Weakness Enumeration

CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
The software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

Vulnerability Media Exposure

[GERMAN] Moxa Switch: Mehrere Schwachstellen
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Moxa Switch ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Daten zu manipulieren.
Published: 2025-10-23T22:00:00+00:00

References

https://www.hackrtu.com/blog/cg-technical-en-003/

https://www.moxa.com/en/support/product-support/security-advisory/mpsa-257421-cve-2025-1679,-cve-2025-1680-stored-cross-site-scripting-(xss)-and-host-header-injection-vulnerabilities-in