Moxa NPort IAW5000A-I/O Series Serial Device Servers Vulnerabilities
Monitor6nport-iaw5000a-io-serial-device-servers-vulnerabilitiesOct 8, 2020
Summary
Multiple vulnerabilities exist in Moxa NPort IAW5000A-I/O Series Serial Device Servers affecting authentication, authorization, and information security. CVE-2020-25198 (Session Fixation) allows session hijacking via cookie theft. CVE-2020-25194 (Improper Privilege Management) permits unprivileged users to escalate to admin privileges. CVE-2020-25153 (Weak Password Requirements) allows use of weak credentials. CVE-2020-25190 (Cleartext Transmission) transmits third-party service credentials unencrypted. CVE-2020-25196 (No Rate Limiting) permits brute force attacks on SSH/Telnet. CVE-2020-25192 (Information Exposure) allows unauthorized access to web service data. No firmware patch is available from Moxa.
What this means
What could happen
An attacker could gain unauthorized access to the device's web interface or SSH/Telnet sessions, modify network configuration, hijack administrator sessions, or extract stored credentials. Device operations could be disrupted or monitored without authorization.
Who's at risk
Water utilities and electric utilities that use Moxa NPort IAW5000A-I/O serial device servers for remote equipment monitoring, RTU management, or SCADA front-end connectivity. Any facility using these devices for serial-to-Ethernet bridging of legacy control equipment is affected.
How it could be exploited
An attacker on the network could brute force SSH/Telnet credentials (no rate limiting), steal or predict web session cookies to hijack an admin session, or exploit privilege escalation to gain admin access from a standard user account. Credentials transmitted in cleartext could be intercepted. The device firmware has no fix available, leaving all versions vulnerable.
Prerequisites
- Network access to the device's web interface (port 80/443), SSH (port 22), or Telnet (port 23)
- Weak or default credentials on the device
- Ability to intercept network traffic for cleartext credential capture
- Valid unprivileged user account for privilege escalation
remotely exploitableno authentication required (brute force)no patch availablecleartext credentials transmissionweak password policysession hijacking possible
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
NPort IAW5000A-I/OAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3HARDENINGChange default credentials to strong passwords immediately
WORKAROUNDRestrict network access to the device's web interface and SSH/Telnet ports using firewall rules; only allow access from authorized engineering workstations or management networks
HARDENINGDisable Telnet and use SSH only for remote access, configured with key-based authentication if supported
Mitigations - no patch available
0/3NPort IAW5000A-I/O has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate the serial device server from untrusted networks
HARDENINGMonitor SSH/Telnet connection attempts and block sources with excessive failed login attempts
HARDENINGUse a reverse proxy or VPN to encrypt web interface access if remote management is required
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/f4743746-1581-414a-af36-bd148c099939