Moxa NPort 6000 Series and Utility Improper Certificate Validation Vulnerabilities

Low RiskCVSS 2nport-6000-series-and-utility-improper-certificate-validation-vulnerabilitiesMar 14, 2023

MoxaEnergy

Summary

Two improper certificate validation vulnerabilities exist in the Moxa NPort 6000 Series and its Windows driver manager software (CVE-2022-43993, CVE-2022-43994). The Windows driver manager does not perform server certificate verification. The NPort 6000 device does not perform client certificate authentication. An attacker positioned between the Windows driver manager and the NPort 6000 on the network can perform a person-in-the-middle attack to eavesdrop on the secure connection and potentially read sensitive management traffic including credentials, device configuration, and serial port data.

What this means

What could happen

An attacker on the network between a Windows engineering workstation and a Moxa NPort 6000 device could intercept and read sensitive management traffic, potentially including device passwords, serial port data, and configuration changes. This could enable unauthorized access to controlled equipment or reading of sensitive process data transmitted through the device.

Who's at risk

Energy sector operators using Moxa NPort 6000 serial device servers, especially in SCADA systems, telemetry systems, or any environment where the device is managed from Windows workstations over a network. This includes electric utilities, water authorities, and other critical infrastructure relying on serial-to-Ethernet converters for equipment control or monitoring.

How it could be exploited

An attacker positioned on the network between the Windows driver manager workstation and the NPort 6000 device (e.g., on the same network segment, via DNS spoofing, or ARP poisoning) can intercept the secure connection. Because the Windows driver software does not verify the server certificate and the device does not verify the client certificate, the attacker can impersonate either endpoint and read all traffic in cleartext, including credentials and serial port data.

Prerequisites

Network access to the path between Windows driver manager workstation and NPort 6000 device
Ability to position self as man-in-the-middle (same network segment, DNS/ARP control, or network access point)
Device must be actively communicating with Windows driver manager software

Requires network access (man-in-the-middle position)Low CVSS score but affects trusted management channelNo vendor patch available for NPort 6000 hardwareCould lead to credential theft and unauthorized device reconfigurationAffects safety-relevant systems if NPort controls critical infrastructure devices

Affected products (1)

ProductAffected VersionsFix Status

NPort 6000All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGIsolate NPort 6000 management traffic to a separate, access-controlled network or VLAN with strict ACLs limiting access to authorized engineering workstations only

WORKAROUNDUse a VPN or encrypted tunnel (e.g., TLS terminating proxy with certificate pinning) for all NPort 6000 management connections from engineering workstations

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Windows driver manager software to a version that performs server certificate validation

HARDENINGDeploy network monitoring/IDS on the management network segment to detect certificate validation bypasses or suspicious traffic patterns on the driver manager connection

HARDENINGImplement MAC address filtering and port security on switches to prevent unauthorized devices from eavesdropping on the NPort 6000 management connection

CVEs (2)

CVE-2022-43993 CVE-2022-43994

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fb73c028-3f9e-439a-bd97-7501a6ee5a27

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.