Moxa NPort 5100A Series Store XSS Vulnerability

Plan Patch8.3MPSA-246328May 7, 2024

Summary

NPort 5100A Series firmware v1.6 and prior contains an improper neutralization of user-controllable input in the web server before output generation (CWE-79). This stored XSS vulnerability allows an attacker to inject malicious scripts that execute in the context of other users' browsers, potentially leading to information disclosure and privilege escalation within the device management interface.

What this means

What could happen

An attacker with network access to the web interface could inject malicious scripts that compromise credentials of authorized users or escalate privileges to gain administrative control of the NPort device, potentially disrupting remote terminal server operations or accessing connected industrial systems.

Who's at risk

Water and power utilities operating Moxa NPort 5100A terminal servers for remote device management and out-of-band access to critical control systems (PLCs, RTUs, network equipment in substations and treatment plants). Any facility using NPort devices for emergency access or serial port sharing across the operational network.

How it could be exploited

An attacker sends a crafted HTTP request containing JavaScript code to a web form or parameter on the NPort device. The device stores this input without sanitization. When another user (such as an administrator) accesses the affected page, their browser executes the attacker's script in their session context, allowing credential theft or privilege escalation.

Prerequisites

Network reachability to the NPort 5100A web interface (default port 80 or custom HTTPS port)
No authentication required to submit the malicious input (reflected/stored XSS entry point is unauthenticated)
A victim user (administrator or authorized operator) must view the page containing the injected script

remotely exploitableno authentication required for exploitationlow complexity attackstored XSS affects multi-user environmentsaffects remote access/management systemsno patch availablehigh CVSS (8.3)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

NPort 5100AAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDIsolate NPort 5100A web interface behind a firewall rule: restrict HTTP/HTTPS access to trusted administrative networks or bastion hosts only.

WORKAROUNDDisable the web management interface entirely if out-of-band serial access is not required; use serial console or SSH-only management if available.

HARDENINGRequire VPN or jump host authentication before allowing any access to the NPort management interface.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor NPort device logs for suspicious input patterns (script tags, encoded payloads, unusual characters in parameters) and web session anomalies.

HOTFIXContact Moxa to determine if a firmware update addressing this vulnerability will be released; schedule a maintenance window for firmware upgrade once available.

CVEs (1)

CVE-2024-3576

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/856f4268-c686-46a5-afd6-492803cf5e80