Moxa NPort Vulnerability: RCE Flaw Hits Serial Servers

Industrial network gear is back in the spotlight. Moxa has disclosed two flaws in its NPort serial device servers, and one is serious. This Moxa NPort vulnerability could hand an attacker full root control of affected hardware. Both bugs live in the device’s web service.

Why It Matters

NPort device servers bridge serial equipment to Ethernet networks. So they often sit deep inside industrial and OT environments. A compromised unit could give attackers a quiet pivot point. From there, they might reach sensitive control systems.

A Critical Path to Root

The more dangerous issue is CVE-2026-10829, a stack-based buffer overflow rated CVSS 8.6. It lives in the “Server location” parameter on the Basic settings page. The flaw stems from poor input validation, classified as CWE-121. By sending crafted input, an attacker can corrupt memory. As a result, they could achieve remote code execution with root privileges.

Notably, the attack requires valid credentials. So the device is not exposed to anonymous internet attackers. However, an authenticated foothold could still escalate to a total takeover.

Leaking Memory and Bypassing ASLR

The second flaw, CVE-2026-10828, is less severe but still useful to attackers. This format string bug carries a CVSS score of 6.9. It targets the “alias” parameter on the Serial Param page. Consequently, crafted input can leak sensitive memory contents.

That leak matters more than it sounds. By exposing memory addresses, the bug can help defeat ASLR protections. In turn, that makes the buffer overflow easier to exploit reliably. The two flaws together raise the stakes, since one leaks memory while the other corrupts it.

Affected Devices and Patches

The Moxa NPort vulnerability affects the NPort W2150A-W4 and W2250A-W4 Series running firmware v1.5 or earlier. Fortunately, a fix exists. Moxa has released patch v1.5.1 through its technical support team. Older, phased-out W2150A and W2250A models should move to the patched hardware instead.

Given the high severity, administrators should act quickly. You can find full model and patch details in the official Moxa security advisory. Until you patch, restrict web access to trusted operators only. Network segmentation remains a smart extra layer here.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.