OTPulse
FeedAboutContact

Moxa CVE-2025-1977, CVE-2025-2026: Multiple Vulnerabilities in NPort 6100-G2/6200-G2 Series

Monitor7.7MPSA-251731Dec 31, 2025
Summary

Two vulnerabilities affect the NPort 6100-G2/6200-G2 Series. CVE-2025-1977 (CVSS 7.7) is an execution with unnecessary privileges flaw in the MCC tool that allows an authenticated read-only user to make unauthorized configuration changes to the device remotely with low attack complexity. CVE-2025-2026 (CVSS 7.1) is a null byte injection vulnerability in the web API that allows a read-only authenticated user to force an unexpected device reboot, causing denial of service. No impact on other systems has been identified. Moxa has not released firmware updates for these devices.

What this means
What could happen
An authenticated attacker with read-only access could change device settings on your NPort serial server, or inject malicious input to force an unexpected reboot, disrupting remote terminal sessions and any automated monitoring or data collection connected to the device.
Who's at risk
Water utilities, power companies, and other utilities operating NPort 6100-G2 or 6200-G2 serial servers for remote terminal access to PLCs, RTUs, or other legacy control devices should review their deployment. This affects any facility using these devices for out-of-band management or serial-to-Ethernet bridging.
How it could be exploited
An attacker with valid read-only credentials can issue commands through the web API or MCC tool to either reconfigure the device (CVE-2025-1977) or inject a null byte into the API to trigger a reboot (CVE-2025-2026). Both require network access to the device's web interface and valid authentication credentials.
Prerequisites
  • Network access to the NPort web interface (typically port 80/443)
  • Valid read-only user credentials
  • Specific system configuration or MCC tool enabled (CVE-2025-1977)
  • Web API endpoint accessible (CVE-2025-2026)
remotely exploitableauthentication required (read-only credentials)low attack complexityno patch availablecan cause operational disruption (denial of service)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
NPort 6100All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDRestrict network access to the NPort web interface using firewall rules; allow only authorized management workstations
WORKAROUNDDisable or restrict the MCC (Moxa CLI Configuration) tool if not actively used for remote management
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Moxa to inquire about availability of firmware updates for NPort 6100-G2/6200-G2 Series or replacement timeline, as no fix is currently available
Mitigations - no patch available
0/2
NPort 6100 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement role-based access controls; create separate read-only and administrative accounts and limit read-only access to only those who need it
HARDENINGSegment NPort devices on a dedicated management VLAN separate from control network and untrusted IT networks
View full Moxa Security advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/177f84c4-6b8c-41cd-a370-f5a2faf5bea4
Moxa CVE-2025-1977, CVE-2025-2026: Multiple Vulnerabilities in NPort 6100-G2/6200-G2 Series | CVSS 7.7 - OTPulse