Moxa NPort 5210 5230 5232

Monitor7.5ICS-CERT ICSA-18-200-04Jul 19, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A resource exhaustion vulnerability in Moxa NPort 5210, 5230, and 5232 serial device servers allows a remote attacker to send TCP SYN packets that cause the device to become unavailable. The affected firmware versions are 2.9 and earlier (specifically 17030709 and earlier). Successful exploitation results in denial of service—the device stops responding to all traffic, including legitimate management and serial connections, until manually rebooted. No public exploit is currently known, but the attack is trivial to execute (basic SYN flood).

What this means

What could happen

A remote attacker can send TCP SYN packets to exhaust device resources, rendering the NPort device unavailable and cutting off remote access to managed serial ports until the device is manually rebooted.

Who's at risk

Water and electric utilities that use Moxa NPort serial device servers (5210, 5230, 5232) for remote management of PLCs, RTUs, or other serial-connected equipment. Any facility relying on these devices to provide out-of-band or remote access to control systems.

How it could be exploited

An attacker on the network sends a flood of TCP SYN packets to the NPort device. The device fails to properly handle the connection requests, consuming all available memory or connection slots. The device stops responding to legitimate traffic.

Prerequisites

Network-reachable access to the NPort device on standard TCP ports
No authentication or credentials required

Remotely exploitableNo authentication requiredLow attack complexityNo patch available for affected versionsAffects remote management access

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

NPort 5210 5230 and 5232:≤ 2.9 17030709No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement network-layer firewall rules to restrict TCP access to the NPort device to only authorized management stations and serial device clients

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to the latest Moxa firmware from https://www.moxa.com/support/download.aspx?type=support&id=904

Long-term hardening

0/2

HARDENINGPlace the NPort device on a separate, isolated management network segment with restricted connectivity from business networks and no Internet access

HARDENINGIf remote access is required, route connections through a VPN appliance with rate limiting and SYN flood protection enabled

CVEs (1)

CVE-2018-10632

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b61d2169-19d3-4f86-842c-79beabeff9b2