Moxa NPort IA5000A Series Serial Device Servers Vulnerabilities

Monitor4nport-ia5000a-serial-device-servers-vulnerabilitiesApr 28, 2021

Summary

Multiple vulnerabilities identified in Moxa NPort IA5000A Series Serial Device Servers: (1) Improper Access Control (CWE-284, CVE-2020-27149) allows attackers to escalate user privileges and bypass access restrictions; (2) Unprotected Storage of Credentials (CWE-256, CVE-2020-27150) allows extraction of authentication credentials from configuration files transmitted over insecure channels, which can then be used to modify device configurations via Moxa Service; (3) Cleartext Transmission over Telnet (CWE-319, CVE-2020-27184) exposes all data including credentials, configurations, and version information; (4) Cleartext Transmission via Moxa Service (CWE-319, CVE-2020-27185) exposes authentication data, device configurations, and sensitive information. No vendor patches are available for these issues.

What this means

What could happen

An attacker could extract authentication credentials and sensitive configuration data from Moxa NPort IA5000A serial device servers, then use those credentials to reconfigure the device and change operational settings or disable serial data integrity protections.

Who's at risk

Transportation and critical infrastructure operators using Moxa NPort IA5000A serial device servers for remote terminal equipment (RTU) communication, SCADA data links, or meter/sensor connectivity. This affects water utilities, electric distribution, transit agencies, and rail systems that rely on these serial gateways to bridge modern networks with legacy serial sensors and control devices.

How it could be exploited

An attacker with network access to the device can initiate unencrypted Telnet or Moxa Service connections to capture authentication credentials and configuration data in cleartext. The attacker can then use extracted credentials to authenticate to the device and escalate their privileges to modify process configurations, serial port settings, or operational parameters that affect connected equipment (e.g., PLCs, meters, sensors).

Prerequisites

Network access to Telnet port (23) or Moxa Service port on the device
Device must be configured to accept unencrypted connections
Ability to perform network sniffing or man-in-the-middle interception

remotely exploitableno authentication required for initial accessno patch availabledefault credentials may be in usecleartext transmission of sensitive datacredential extraction possible

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

NPort IA5000AAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to NPort IA5000A devices: implement firewall rules to block Telnet (port 23) and Moxa Service ports from untrusted networks. Allow only authorized engineering workstations and management servers.

HARDENINGDisable Telnet and unencrypted management protocols on all NPort IA5000A devices; use only SSH or equivalent encrypted protocols if the device supports them.

HARDENINGChange default credentials on all NPort IA5000A devices and enforce strong passwords.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and audit all configuration changes to NPort IA5000A devices; log all management session activity.

Mitigations - no patch available

0/1

NPort IA5000A has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate NPort IA5000A devices on a separate VLAN with restricted access from general IT networks.

CVEs (4)

CVE-2020-27149 CVE-2020-27150 CVE-2020-27184 CVE-2020-27185

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2988fe42-ab1f-4de9-9b5e-957904c09ddc