Moxa CVE-2025-1977, CVE-2025-2026: Multiple Vulnerabilities in NPort 6100-G2/6200-G2 Series

MonitorCVSS 7.7MPSA-251731Dec 31, 2025

Moxa

Summary

The NPort 6100-G2/6200-G2 Series is affected by two vulnerabilities. CVE-2025-1977 allows an authenticated user with read-only web access to perform unauthorized configuration changes through the MCC tool via low-complexity remote network attack. CVE-2025-2026 allows an authenticated remote attacker to inject a null byte through the web API, causing an unexpected device reboot and temporary denial of service. Both require valid read-only credentials but low attack complexity. No patches are currently available.

What this means

What could happen

An attacker with read-only web access could reconfigure device settings or cause the NPort to reboot unexpectedly, temporarily disrupting network connectivity and data routing for connected serial devices.

Who's at risk

This affects water utilities, electric utilities, and other infrastructure operators who use Moxa NPort 6100-G2 or NPort 6200-G2 serial-to-Ethernet gateway devices for remote monitoring and configuration of PLCs, RTUs, or other serial devices in the field. Any facility relying on these devices for continuous network data collection is at risk of temporary service disruption.

How it could be exploited

An attacker with valid read-only web credentials connects to the NPort's web API over the network and either modifies configuration settings through the MCC tool (CVE-2025-1977) or injects a null byte into the API to trigger an unplanned reboot (CVE-2025-2026). Both attacks are low-complexity and require only standard network access.

Prerequisites

Valid read-only web API credentials for the NPort device
Network access to the NPort's web interface (typically port 80/443)
For CVE-2025-1977: MCC (Moxa CLI Configuration) tool access enabled
For CVE-2025-2026: Specific system configuration conditions to be present on the device

remotely exploitablelow complexityrequires valid credentialsaffects serial data routing and device availabilityno patch available

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

NPort 6100All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGContact Moxa support to request information on available patches or workarounds for NPort 6100-G2/6200-G2 Series

WORKAROUNDRestrict network access to the NPort's web interface to trusted engineering workstations only using firewall rules or network segmentation

WORKAROUNDDisable or restrict the MCC (Moxa CLI Configuration) tool if it is not required for normal operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement strong authentication and rotate web API credentials for all NPort devices

HARDENINGMonitor NPort system logs for unexpected configuration changes or reboot events that may indicate exploitation attempts

CVEs (2)

CVE-2025-1977 CVE-2025-2026

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/177f84c4-6b8c-41cd-a370-f5a2faf5bea4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.