Description
A format string vulnerability has been found in the "alias" parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and improper handling of externally supplied format strings. An attacker could exploit this vulnerability by sending crafted input to the web service, causing unintended memory disclosure. Successful exploitation may allow an attacker to leak sensitive memory contents and determine critical memory addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections.
Published: 2026-06-16
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A format string vulnerability exists in the 'alias' parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier. Insufficient input validation allows an attacker to send a crafted string to the web service that is interpreted as a format string, exposing sensitive memory contents and critical addresses. This can lead to information disclosure and, by revealing address layouts, may assist in bypassing ASLR protections.

Affected Systems

Products affected are the Moxa NPort W2150A-W4 and W2250A-W4 Series, as well as the NPort W2150A and W2250A Series. Firmware versions 1.5 and all earlier releases are vulnerable. The issue resides in the web-based configuration interface exposed on the device.

Risk and Exploitability

The CVSS score of 6.9 and the EPSS score of < 1% suggest a moderate severity and a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web interface, and successful exploitation would enable memory disclosure and potentially aid further attacks. No local privilege requirement is stated, implying that any user with network access to the web service could exploit it.

Generated by OpenCVE AI on June 17, 2026 at 22:38 UTC.

Remediation

Vendor Solution

Please refer to the security advisory: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261910-cve-2026-10828,-cve-2026-10829-use-of-externally-controlled-format-string-and-stack-based-buffer-overflow-v


OpenCVE Recommended Actions

  • Apply the firmware update referenced in the Moxa security advisory.
  • Disable or restrict access to the web configuration interface if it is not required.
  • Monitor the web service for unexpected requests and review logs for potential exploitation attempts.

Generated by OpenCVE AI on June 17, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Externally Controlled Format String Vulnerability in Moxa NPort Serial Parameter Configuration

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description A format string vulnerability has been found in the "alias" parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and improper handling of externally supplied format strings. An attacker could exploit this vulnerability by sending crafted input to the web service, causing unintended memory disclosure. Successful exploitation may allow an attacker to leak sensitive memory contents and determine critical memory addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections.
First Time appeared Moxa
Moxa nport W2150a-w4 W2250a-w4 Series
Moxa nport W2150a W2250a Series
Weaknesses CWE-134
CPEs cpe:2.3:a:moxa:nport_w2150a-w4_w2250a-w4_series:*:*:*:*:*:*:*:*
cpe:2.3:a:moxa:nport_w2150a_w2250a_series:*:*:*:*:*:*:*:*
Vendors & Products Moxa
Moxa nport W2150a-w4 W2250a-w4 Series
Moxa nport W2150a W2250a Series
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Moxa Nport W2150a-w4 W2250a-w4 Series Nport W2150a W2250a Series
cve-icon MITRE

Status: PUBLISHED

Assigner: Moxa

Published:

Updated: 2026-06-16T12:20:06.556Z

Reserved: 2026-06-04T09:42:25.815Z

Link: CVE-2026-10828

cve-icon Vulnrichment

Updated: 2026-06-16T12:20:00.512Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T12:16:24.920

Modified: 2026-06-16T15:26:04.250

Link: CVE-2026-10828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:05:19Z

Weaknesses
  • CWE-134

    Use of Externally-Controlled Format String