Description
A stack-based buffer overflow vulnerability has been found in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and earlier. This vulnerability stems from insufficient input validation of user-supplied input in the "Server location" parameter on the Basic settings page. An attacker could exploit this vulnerability by sending crafted input to the web service, resulting in memory corruption. Successful exploitation of this vulnerability could allow remote code execution on the target system with root privileges.
Published: 2026-06-16
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow vulnerability was discovered in the server location parameter on the Basic settings page of Moxa NPort W2150A-W4/W2250A-W4 Series firmware 1.5 and earlier. Because the input is not validated, an attacker can deliver crafted data to the web service, corrupting memory and potentially executing arbitrary code with root privileges. The weakness is identified as CWE‑121, a classic stack-based buffer overrun.

Affected Systems

The affected devices are the Moxa NPort W2150A and W2250A series, specifically the W2150A-W4/W2250A-W4 models running firmware version 1.5 or lower. The advisory and CPE entries confirm the product line but do not list additional firmware releases beyond 1.5.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity level, while the EPSS score of <1% suggests a low probability of immediate exploitation, and the vulnerability is not listed in the KEV catalog. The likely attack vector is via the web service receiving specially crafted requests to the Server location parameter, requiring remote network access. Successful exploitation would grant full system control.

Generated by OpenCVE AI on June 17, 2026 at 21:51 UTC.

Remediation

Vendor Solution

Please refer to the security advisory: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261910-cve-2026-10828,-cve-2026-10829-use-of-externally-controlled-format-string-and-stack-based-buffer-overflow-v


OpenCVE Recommended Actions

  • Update the device firmware to the latest version or apply the official patch as detailed in the Moxa security advisory
  • If an immediate update is not possible, disable external access to the web management interface to prevent attackers from sending crafted input
  • Ensure that all input fields, particularly the Server location parameter, enforce proper length checks and bounds validation in any custom configuration scripts
  • Monitor system logs for attempted buffer overflow attacks and subject the device to periodic security scans

Generated by OpenCVE AI on June 17, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow vulnerability has been found in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and earlier. This vulnerability stems from insufficient input validation of user-supplied input in the "Server location" parameter on the Basic settings page. An attacker could exploit this vulnerability by sending crafted input to the web service, resulting in memory corruption. Successful exploitation of this vulnerability could allow remote code execution on the target system with root privileges.
First Time appeared Moxa
Moxa nport W2150a-w4 W2250a-w4 Series
Moxa nport W2150a W2250a Series
Weaknesses CWE-121
CPEs cpe:2.3:a:moxa:nport_w2150a-w4_w2250a-w4_series:*:*:*:*:*:*:*:*
cpe:2.3:a:moxa:nport_w2150a_w2250a_series:*:*:*:*:*:*:*:*
Vendors & Products Moxa
Moxa nport W2150a-w4 W2250a-w4 Series
Moxa nport W2150a W2250a Series
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Moxa Nport W2150a-w4 W2250a-w4 Series Nport W2150a W2250a Series
cve-icon MITRE

Status: PUBLISHED

Assigner: Moxa

Published:

Updated: 2026-06-16T12:16:54.768Z

Reserved: 2026-06-04T09:42:27.847Z

Link: CVE-2026-10829

cve-icon Vulnrichment

Updated: 2026-06-16T12:16:45.230Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T12:16:25.967

Modified: 2026-06-16T15:26:04.250

Link: CVE-2026-10829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:05:17Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow