Moxa NPort Device Vulnerabilities

Act Now9.8ICS-CERT ICSA-16-336-02ASep 4, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities exist in Moxa NPort serial-to-Ethernet converters. The vulnerabilities include buffer overflow conditions (CWE-120), missing or weak authentication mechanisms (CWE-287, CWE-306), insufficient credentials handling (CWE-256), weak password requirements (CWE-307), cross-site request forgery (CWE-352), resource exhaustion (CWE-400), and cross-site scripting (CWE-79). These flaws allow remote attackers without authentication to execute arbitrary code, bypass access controls, and compromise device functionality. Affected devices range from older NPort 5110/5200 series to newer M12 industrial variants and NPort 6000/6110 series. No vendor patches are available for any affected product.

What this means

What could happen

An attacker with network access to an NPort device could execute arbitrary code, bypass authentication, or steal sensitive data due to multiple critical vulnerabilities including buffer overflows and missing authentication checks. This could allow complete compromise of the device and any systems it connects to, including critical serial port communications for SCADA, PLCs, and RTUs.

Who's at risk

Water and electric utilities, wastewater treatment plants, and other industrial facilities using Moxa NPort serial-to-Ethernet converters to connect legacy serial equipment (PLCs, RTUs, SCADA devices) to modern networks. This includes any facility where NPort devices bridge older serial instrumentation to network control systems.

How it could be exploited

An attacker on the network sends specially crafted packets to the NPort device's Ethernet interface (port 502 or web interface). The device lacks proper input validation and authentication controls, allowing the attacker to overflow buffers, bypass login requirements, or inject commands that execute on the device. Once compromised, the attacker gains full control and can modify or intercept serial communications flowing through the device.

Prerequisites

Network access to the NPort device on port 502 or HTTP/HTTPS ports
No authentication required for most vulnerabilities
Device must be reachable from the attacker's network segment

remotely exploitableno authentication requiredlow complexityhigh EPSS score (49.6%)no patch availableaffects critical infrastructuremultiple critical vulnerabilities

Exploitability

High exploit probability (EPSS 49.6%)

Affected products (16)

16 EOL

ProductAffected VersionsFix Status

NPort 5110: <2.7<2.7No fix (EOL)

NPort 5130/5150 Series: <3.7<3.7No fix (EOL)

NPort 5200 Series: <2.9<2.9No fix (EOL)

NPort 5400 Series: <3.12<3.12No fix (EOL)

NPort 5600 Series: <3.8<3.8No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate NPort devices on a dedicated network segment with restricted access. Only allow connections from authorized engineering workstations and control systems that require the device.

WORKAROUNDImplement network-based access controls (firewall rules) to restrict traffic to the NPort device to only necessary ports and source IP addresses. Block public internet access.

WORKAROUNDDisable any unnecessary features on the NPort device, especially web-based management interfaces if not in use. Use serial-only configuration if possible.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from NPort devices for anomalous connections or command patterns that could indicate exploitation attempts.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: NPort 5110: <2.7, NPort 5130/5150 Series: <3.7, NPort 5200 Series: <2.9, NPort 5400 Series: <3.12, NPort 5600 Series: <3.8, NPort 5100A Series: <1.4, NPort P5150A: <1.4, NPort 5200A Series: <1.4, NPort 5150AI-M12 Series: <1.3, NPort 5250AI-M12 Series: <1.3, NPort 5450AI-M12 Series: <1.3, NPort 5600-8-DT Series: <2.5, NPort 5600-8-DTL Series: <2.5, NPort IA5450A: <v1.4, NPort 6000 series: <1.16, NPort 6110 series: vers:all/*. Apply the following compensating controls:

HARDENINGPlan replacement or upgrade of affected NPort devices to a vendor solution with active security support, as no patches are available for existing models.

CVEs (8)

CVE-2016-9363 CVE-2016-9361 CVE-2016-9348 CVE-2016-9369 CVE-2016-9366 CVE-2016-9365 CVE-2016-9367 CVE-2016-9371

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5b45d32d-e8bd-4d4d-8a57-a79821cda671