OTPulse

Moxa CVE-2026-10828, CVE-2026-10829: Use of Externally-Controlled Format String and Stack-based Buffer Overflow Vulnerabilities in Serial Device Servers

Plan PatchCVSS 8.6MPSA-261910Jun 16, 2026
Moxa
Summary

Two vulnerabilities have been identified in Moxa NPort W2150A-W4/W2250A-W4 Series Serial Device Servers (version 1.5 and earlier): CVE-2026-10828 is a format string vulnerability in the "alias" parameter of the Serial Param configuration page that allows memory disclosure and bypass of ASLR protections through insufficient input validation. CVE-2026-10829 is a stack-based buffer overflow in the "Server location" parameter on the Basic settings page that stems from insufficient input validation and could allow remote code execution with root privileges. Both vulnerabilities are accessible through the web management interface.

What this means
What could happen
An attacker with network access to the Moxa Serial Device Server web interface could execute arbitrary commands with root privileges on the device, potentially disrupting serial-to-network communication and affecting any connected industrial equipment relying on this gateway. Memory disclosure via format string injection could reveal system information used to bypass security protections on the device.
Who's at risk
Water utilities and municipal electric providers that use Moxa NPort W2150A-W4 or W2250A-W4 Serial Device Servers to bridge serial-based industrial equipment (SCADA sensors, RTUs, meter readers, valve controllers) to networked systems. Any facility relying on these serial gateways for real-time monitoring or control of water distribution, treatment, or electrical grid assets is affected.
How it could be exploited
An attacker with access to the device's web management interface sends malicious input to the "alias" parameter (CVE-2026-10828) to leak memory addresses, or to the "Server location" parameter (CVE-2026-10829) to trigger a buffer overflow. If the attacker has sufficient network access, they can craft payloads to achieve remote code execution with root privileges on the Serial Device Server.
Prerequisites
  • Network access to the serial device server's web management interface (typically port 80 or 443)
  • High-level credentials or ability to reach the configuration pages (vulnerability requires administrative access to craft payloads but network reachability to web service is the key barrier)
remotely exploitablerequires high-level credentials or network access to web interfacelow complexity attackno patch availablecan lead to root-level code executionaffects critical infrastructure gateways
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (1)
ProductAffected VersionsFix Status
Serial Device ServersAll versionsNo fix yet
Remediation & Mitigation
0/5
Do now
0/3
WORKAROUNDDisable or restrict network access to the web management interface of all NPort W2150A-W4/W2250A-W4 Series devices using firewall rules; allow only connections from trusted engineering workstations or management networks
WORKAROUNDIf immediate patching is not possible, disable the web configuration interface on the Serial Device Server and manage configuration through alternative methods (console port, SNMP if available from secure networks only)
HARDENINGSegment the serial device server on a dedicated network or VLAN separate from general plant IT networks and restrict all inbound access to port 80/443 from administrative networks only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor web service logs and network traffic to the affected devices for suspicious input patterns or unexpected configuration attempts
HOTFIXContact Moxa for availability of firmware updates that address CVE-2026-10828 and CVE-2026-10829; check the security advisory regularly for patched firmware versions
View full Moxa Security advisory
API: /api/v1/advisories/c3385642-65a8-4cb7-981e-e876e72225bf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Moxa CVE-2026-10828, CVE-2026-10829: Use of Externally-Controlled Format String and Stack-based Buffer Overflow Vulnerabilities in Serial Device Servers | CVSS 8.6 - OTPulse