The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-6950

CVE-2025-6950: Moxa Hard-coded JWT Auth Bypass Vulnerability

CVE-2025-6950 is an authentication bypass vulnerability in Moxa network security appliances caused by hard-coded JWT signing keys. Attackers can forge tokens to gain full admin access. This post covers technical details, affected versions, impact, and mitigation strategies.

Published: April 1, 2026

CVE-2025-6950 Overview

A critical Use of Hard-coded Credentials vulnerability (CWE-798) has been identified in Moxa's network security appliances and routers. The system employs a hard-coded secret key to sign JSON Web Tokens (JWT) used for authentication. This insecure implementation allows an unauthenticated attacker to forge valid tokens, thereby bypassing authentication controls and impersonating any user. Exploitation of this vulnerability can result in complete system compromise, enabling unauthorized access, data theft, and full administrative control over the affected device.

Critical Impact

Successful exploitation allows unauthenticated attackers to forge JWT tokens, bypass authentication entirely, and gain full administrative control over affected Moxa network appliances and routers.

Affected Products

  • Moxa Network Security Appliances
  • Moxa Routers
  • Devices referenced in MPSA-258121 security advisory

Discovery Timeline

  • October 17, 2025 - CVE-2025-6950 published to NVD
  • October 21, 2025 - Last updated in NVD database

Technical Details for CVE-2025-6950

Vulnerability Analysis

This vulnerability stems from insecure cryptographic implementation in Moxa's authentication system. The affected devices use JSON Web Tokens (JWT) for session authentication, but the secret key used to sign these tokens is hard-coded directly into the firmware or application code. This fundamental security flaw means that any attacker who discovers or extracts this static secret key can generate valid authentication tokens without ever needing legitimate credentials.

The impact is severe as the vulnerability requires no prior authentication and can be exploited remotely over the network. An attacker can craft malicious JWT tokens that the system will accept as legitimate, allowing them to impersonate any user account including administrators. This grants complete control over the affected device, potentially compromising the confidentiality, integrity, and availability of the network appliance itself. While the vulnerability does not directly propagate to downstream systems, the compromised device could be used as a pivot point for further attacks on the network infrastructure.

Root Cause

The root cause of CVE-2025-6950 is the use of hard-coded credentials embedded within the device firmware. Specifically, the JWT signing key is statically defined rather than being generated uniquely per device or installation. This violates fundamental security principles as the same secret key exists across all deployed instances of the affected products, making it a single point of failure. Once the key is extracted from any device or reverse-engineered from firmware, all devices using the same key become vulnerable.

Attack Vector

The attack can be executed remotely over the network without requiring any user interaction or prior authentication. An attacker would need to:

  1. Obtain the hard-coded JWT secret key (through firmware analysis or public disclosure)
  2. Craft a JWT token with arbitrary claims, including administrative privileges
  3. Sign the forged token using the known secret key
  4. Send authenticated requests to the device using the forged token
  5. Gain complete administrative access to perform any operation

The vulnerability exploitation follows a straightforward process where an attacker extracts the hard-coded secret key from device firmware, then uses standard JWT libraries to create tokens with elevated privileges. Once signed with the known key, these forged tokens are accepted by the device as legitimate authentication credentials, granting full system access.

Detection Methods for CVE-2025-6950

Indicators of Compromise

  • Unusual administrative login events from unexpected IP addresses or at abnormal times
  • JWT tokens appearing in logs with suspicious claim values or unexpected user identifiers
  • Multiple authentication sessions for the same user from different geographic locations
  • Administrative actions performed without corresponding login events from the web interface
  • Network traffic containing JWT tokens with anomalous or forged timestamps

Detection Strategies

  • Implement network monitoring to detect authentication requests to affected Moxa devices from untrusted sources
  • Review authentication logs for signs of token-based access that doesn't correlate with legitimate user activity
  • Deploy intrusion detection rules to flag JWT authentication attempts containing known malicious patterns
  • Monitor for firmware extraction attempts or unusual debugging connections to affected devices

Monitoring Recommendations

  • Enable comprehensive logging on all affected Moxa network appliances and centralize log collection
  • Implement alerting for any administrative actions performed on critical network infrastructure devices
  • Establish baseline normal authentication patterns and flag deviations
  • Monitor network segments containing affected devices for reconnaissance activity

How to Mitigate CVE-2025-6950

Immediate Actions Required

  • Consult the Moxa Security Advisory MPSA-258121 for official patches and firmware updates
  • Isolate affected Moxa devices from untrusted networks until patches can be applied
  • Implement strict network access controls to limit which hosts can communicate with affected devices
  • Audit administrative accounts and review recent access logs for signs of compromise

Patch Information

Moxa has released security advisory MPSA-258121 addressing CVE-2025-6950 along with several related vulnerabilities (CVE-2025-6892, CVE-2025-6893, CVE-2025-6894, CVE-2025-6949). Organizations should review the official Moxa security advisory for specific firmware versions and update instructions applicable to their deployed products.

Workarounds

  • Place affected devices behind network firewalls or access control lists restricting management interface access to trusted administrator IPs only
  • Implement network segmentation to isolate industrial control and network infrastructure devices from general network traffic
  • Deploy a VPN or jump host requirement for all administrative access to affected Moxa equipment
  • Consider temporarily disabling remote management interfaces until patches are applied, using only local console access
  • Implement additional authentication layers such as a reverse proxy with separate authentication in front of affected devices
bash
# Example firewall configuration to restrict management access
# Adjust IPs and interfaces for your environment

# Allow management access only from trusted admin network
iptables -A INPUT -p tcp --dport 443 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

# Block management interface from untrusted networks
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechMoxa
  • SeverityCRITICAL
  • CVSS Score9.9
  • EPSS Probability0.36%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-798
  • Technical References
  • Moxa Security Advisory MPSA-258121
  • Related CVEs
  • CVE-2026-0714: Moxa Industrial Linux TPM Disclosure Flaw
  • CVE-2026-0715: Moxa Industrial Linux Secure DoS Flaw
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English