Full Report
[Control Systems] Moxa security advisory (AV26-610)
Analysis Summary
# Vulnerability: Multiple Flaws in Moxa NPort Serial Device Servers
## CVE Details
- **CVE ID:** CVE-2026-10825, CVE-2026-10828, CVE-2026-10829
- **CVSS Score:** Not explicitly provided in summary, but typical for these classes of vulnerabilities (Buffer Overflow/Format String) in ICS environments range from **High to Critical (7.5 - 9.8)**.
- **CWE:**
- CWE-20 (Improper Input Validation)
- CWE-134 (Use of Externally-Controlled Format String)
- CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Moxa NPort Serial Device Servers
- **Versions:**
- **NPort 6000-G2 Series:** Version v1.1.0 and prior
- **NPort W2150A-W4/W2250A-W4 Series:** Firmware version v1.5 and prior
- **NPort W2150A/W2250A Series:** Firmware version v2.3 and prior
## Vulnerability Description
Three distinct security flaws have been identified in the firmware of Moxa Serial Device Servers:
1. **CVE-2026-10825:** Improper validation of input, which can allow an attacker to send specially crafted data to the device to trigger unexpected behavior or crashes.
2. **CVE-2026-10828:** Use of an externally-controlled format string. This occurs when an application uses input from an external source as the format string argument in certain C functions, potentially allowing for unauthorized memory reading or code execution.
3. **CVE-2026-10829:** A stack-based buffer overflow. This vulnerability involves an application writing more data to a buffer located on the stack than that buffer can hold, which typically leads to a crash or the execution of arbitrary code.
## Exploitation
- **Status:** Not reported as exploited in the wild; PoC status per vendor advisory links.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (typically targeting the device's management web interface or communication ports).
## Impact
- **Confidentiality:** High (Potential for memory dumping via format string).
- **Integrity:** High (Potential for arbitrary code execution).
- **Availability:** High (Potential for device DoS/system crash).
## Remediation
### Patches
Users are advised to update to the following firmware versions or newer:
- **NPort 6000-G2 Series:** Update beyond v1.1.0.
- **NPort W2150A-W4/W2250A-W4 Series:** Update beyond v1.5.
- **NPort W2150A/W2250A Series:** Update beyond v2.3.
### Workarounds
- Restrict network access to the devices using firewalls or VLANs.
- Disable unused services and management protocols (e.g., Telnet, HTTP) if not required for operations.
- Change default credentials and use encrypted management protocols (HTTPS/SSH) where available.
## Detection
- Monitor network traffic for unusual payloads or malformed strings directed at the management interfaces of NPort devices.
- Review device logs for unexpected reboots or service crashes.
- Use Industrial Control System (ICS) security scanners to identify vulnerable firmware versions within the asset inventory.
## References
- **Moxa Advisory (Input Validation):** hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisory/mpsa-268270-cve-2026-10825-improper-validation-of-input-vulnerability-in-serial-device-servers
- **Moxa Advisory (Format String/Overflow):** hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisory/mpsa-261910-cve-2026-10828,-cve-2026-10829-use-of-externally-controlled-format-string-and-stack-based-buffer-overflow-v
- **Canadian Centre for Cyber Security Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-moxa-security-advisory-av26-610