Moxa NPort 6000 Series and Utility Improper Certificate Validation Vulnerabilities
Low Risk2nport-6000-series-and-utility-improper-certificate-validation-vulnerabilitiesMar 14, 2023
Summary
Two improper certificate validation vulnerabilities exist in the Moxa NPort 6000 Series and its Windows driver manager software (CVE-2022-43993, CVE-2022-43994). The Windows driver manager does not perform server certificate verification. The NPort 6000 device does not perform client certificate authentication. An attacker positioned between the Windows driver manager and the NPort 6000 on the network can perform a person-in-the-middle attack to eavesdrop on the secure connection and potentially read sensitive management traffic including credentials, device configuration, and serial port data.
What this means
What could happen
An attacker on the network between a Windows engineering workstation and a Moxa NPort 6000 device could intercept and read sensitive management traffic, potentially including device passwords, serial port data, and configuration changes. This could enable unauthorized access to controlled equipment or reading of sensitive process data transmitted through the device.
Who's at risk
Energy sector operators using Moxa NPort 6000 serial device servers, especially in SCADA systems, telemetry systems, or any environment where the device is managed from Windows workstations over a network. This includes electric utilities, water authorities, and other critical infrastructure relying on serial-to-Ethernet converters for equipment control or monitoring.
How it could be exploited
An attacker positioned on the network between the Windows driver manager workstation and the NPort 6000 device (e.g., on the same network segment, via DNS spoofing, or ARP poisoning) can intercept the secure connection. Because the Windows driver software does not verify the server certificate and the device does not verify the client certificate, the attacker can impersonate either endpoint and read all traffic in cleartext, including credentials and serial port data.
Prerequisites
- Network access to the path between Windows driver manager workstation and NPort 6000 device
- Ability to position self as man-in-the-middle (same network segment, DNS/ARP control, or network access point)
- Device must be actively communicating with Windows driver manager software
Requires network access (man-in-the-middle position)Low CVSS score but affects trusted management channelNo vendor patch available for NPort 6000 hardwareCould lead to credential theft and unauthorized device reconfigurationAffects safety-relevant systems if NPort controls critical infrastructure devices
Affected products (1)
ProductAffected VersionsFix Status
NPort 6000All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGIsolate NPort 6000 management traffic to a separate, access-controlled network or VLAN with strict ACLs limiting access to authorized engineering workstations only
WORKAROUNDUse a VPN or encrypted tunnel (e.g., TLS terminating proxy with certificate pinning) for all NPort 6000 management connections from engineering workstations
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Windows driver manager software to a version that performs server certificate validation
HARDENINGDeploy network monitoring/IDS on the management network segment to detect certificate validation bypasses or suspicious traffic patterns on the driver manager connection
HARDENINGImplement MAC address filtering and port security on switches to prevent unauthorized devices from eavesdropping on the NPort 6000 management connection
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fb73c028-3f9e-439a-bd97-7501a6ee5a27