Impact
A format string vulnerability exists in the 'alias' parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier. Insufficient input validation allows an attacker to send a crafted string to the web service that is interpreted as a format string, exposing sensitive memory contents and critical addresses. This can lead to information disclosure and, by revealing address layouts, may assist in bypassing ASLR protections.
Affected Systems
Products affected are the Moxa NPort W2150A-W4 and W2250A-W4 Series, as well as the NPort W2150A and W2250A Series. Firmware versions 1.5 and all earlier releases are vulnerable. The issue resides in the web-based configuration interface exposed on the device.
Risk and Exploitability
The CVSS score of 6.9 and the EPSS score of < 1% suggest a moderate severity and a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface, and successful exploitation would enable memory disclosure and potentially aid further attacks. No local privilege requirement is stated, implying that any user with network access to the web service could exploit it.
OpenCVE Enrichment