Moxa NPort IAW5000A-I/O Series Serial Device Server

Act Now9.8ICS-CERT ICSA-21-187-01Jul 6, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Moxa NPort IAW5000A-I/O Series serial device server contains multiple buffer overflow and input validation vulnerabilities (CWE-120, CWE-121, CWE-20, CWE-78) in firmware versions 2.2 and earlier. Successful exploitation could cause remote code execution, device crash, or buffer overflow conditions via network-accessible input. No public exploits are currently known, but the high CVSS score (9.8) and critical severity reflect the ease of exploitation and potential impact.

What this means

What could happen

An attacker could gain remote code execution on the serial device server, potentially controlling attached industrial devices or disrupting serial communication between your control network and field equipment. Alternatively, the device could crash, causing loss of data connectivity to attached sensors or controllers.

Who's at risk

Water utilities and electric utilities using Moxa NPort IAW5000A-I/O Series serial device servers for SCADA field device connectivity, particularly those using Modbus or other serial-to-Ethernet gateway functionality to connect legacy instrumentation or controllers to modern networks.

How it could be exploited

An attacker on the network sends a specially crafted packet to the NPort device's network interface. The packet triggers a buffer overflow in the device's input handling code, allowing the attacker to execute arbitrary commands on the device with the same privileges as the NPort firmware, or crashes the device entirely.

Prerequisites

Network access to the NPort device on its management or serial communication ports (typically TCP/Modbus or manufacturer proprietary ports)
No authentication required - the vulnerability is in unauthenticated input parsing

remotely exploitableno authentication requiredlow complexity attackhigh CVSS score (9.8)affects serial communication infrastructureno patch currently available

Exploitability

Moderate exploit probability (EPSS 1.4%)

Affected products (1)

ProductAffected VersionsFix Status

NPort IAW5000A-I/O Series firmware:≤ 2.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation: place the NPort device behind a firewall and restrict access to only authorized engineering workstations and control system networks

WORKAROUNDDisable remote management access to the NPort device if not required for your operations

HARDENINGImplement access control lists (ACLs) on network switches and firewalls to limit which devices can reach the NPort on its management and serial communication ports

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Moxa firmware patch when available from Moxa Technical Support - contact Moxa to obtain the security update for NPort IAW5000A-I/O Series

CVEs (4)

CVE-2021-32968 CVE-2021-32976 CVE-2021-32970 CVE-2021-32974

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/01e8f208-5cd2-4487-a9c0-c1ceefe4254c