MOXA NPort IAW5000A-I/O Series

Act Now9.8ICS-CERT ICSA-20-287-01Oct 13, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The NPort IAW5000A-I/O Series firmware versions 2.1 and earlier contain multiple authentication and authorization flaws. Vulnerabilities include: session hijacking due to improper session management (CWE-384); privilege escalation allowing users to perform administrative actions (CWE-269); use of weak passwords without enforcement (CWE-521); transmission of credentials in cleartext (CWE-319); insufficient brute-force protection on authentication (CWE-307); and information disclosure allowing access to sensitive data without authorization (CWE-200). These flaws could collectively allow an unauthenticated attacker on the network to gain administrative control of the device and all connected serial-based equipment.

What this means

What could happen

An attacker could hijack administrative sessions, escalate unprivileged user access to admin level, or extract sensitive credentials and configuration data from the NPort device. This could allow complete control over serial device communications and port configuration in your facility.

Who's at risk

Water utilities, wastewater treatment plants, and electric utilities that use Moxa NPort IAW5000A-I/O Series devices for serial-to-Ethernet conversion of legacy PLCs, RTUs, or SCADA components should review their deployments. These devices are commonly used to integrate older serial-based field equipment with modern IP networks.

How it could be exploited

An attacker with network access to the NPort web interface or SSH/Telnet services could exploit weak authentication mechanisms, session handling flaws, or credential transmission issues to gain unauthorized access. Once authenticated, privilege escalation vulnerabilities would allow execution of administrative commands without proper authorization.

Prerequisites

Network access to the NPort device (HTTP, SSH, or Telnet ports)
The device must be reachable from an attacker's network position
Weak default or user-set credentials may be present

remotely exploitableno authentication required for some attack vectorsweak password vulnerabilitiescleartext credential transmissionbrute-force attack possibledefault credentials may be present

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

NPort: Firmware≤ 2.1No fix yet

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDRestrict network access to the NPort device using firewall rules; allow only necessary administrative IP addresses to reach SSH, Telnet, and web management ports

WORKAROUNDDisable SSH and Telnet services if not required for operations; use HTTPS only for remote management

HARDENINGEnsure strong, unique passwords are configured on the NPort device and change any default credentials

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXInstall the latest firmware version on all NPort IAW5000A-I/O Series devices

Long-term hardening

0/2

HARDENINGIsolate the NPort device on a separate control network segment behind a firewall, with no direct Internet access

HARDENINGIf remote management is required, use a VPN to the facility network rather than direct Internet exposure

CVEs (6)

CVE-2020-25198 CVE-2020-25194 CVE-2020-25153 CVE-2020-25190 CVE-2020-25196 CVE-2020-25192

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1d03769b-bce0-4b5c-86bb-bdd39b13a24b