Vulnerability Description
An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Host headers by injecting a specially crafted Host header into HTTP requests sent to an affected device’s web service. This vulnerability is classified as Host Header Injection, where invalid Host headers can manipulate to redirect users, forge links, or phishing attacks. There is no impact to the confidentiality, integrity, and availability of the affected device; no loss of confidentiality, integrity, and availability within any subsequent systems.
Related Weaknesses (CWE)
References
- https://www.hackrtu.com/blog/cg-technical-en-003/
- https://www.moxa.com/en/support/product-support/security-advisory/mpsa-257421-cv
FAQ
What is CVE-2025-1680?
CVE-2025-1680 is a documented vulnerability. An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows attackers with administrative privileges to manipulate HTTP Hos...
How severe is CVE-2025-1680?
CVSS scoring is not yet available for CVE-2025-1680. Check NVD for updates.
Is there a patch for CVE-2025-1680?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.