CVE-2025-9315

10.12.2025, 09:15

An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity Series. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted JSON payload to the device's registration endpoint /api/v1/devices/register, allowing the attacker to register unauthorized devices without authentication. Although exploiting this vulnerability has limited modification of data, there is no impact to the confidentiality and availability of the affected device, as well as no loss of confidentiality, integrity, and availability within any subsequent systems.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Moxa	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Vulnerability Media Exposure

[GERMAN] Moxa MXsecurity: Schwachstelle ermöglicht Manipulation von Dateien
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Moxa MXsecurity ausnutzen, um Dateien zu manipulieren.
Published: 2025-12-09T23:00:00+00:00

References

https://www.moxa.com/en/support/product-support/security-advisory/mpsa-252631-cve-2025-9315-unauthenticated-device-registration-vulnerability-in-mxsecurity-series