Skip to main content

Nport W2150A W2250A Series

2 CVEs product

Monthly

CVE-2026-10829 HIGH This Week

Remote code execution in Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier allows authenticated administrators to corrupt memory by submitting an overlong 'Server location' value on the Basic settings page of the web management interface, yielding root-level command execution on the embedded serial device server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Moxa has issued advisory MPSA-261910 confirming the flaw. The companion CVE-2026-10828 (format string) was disclosed in the same advisory, suggesting the web management stack received broader scrutiny.

RCE Stack Overflow Buffer Overflow Nport W2150A W4 W2250A W4 Series Nport W2150A W2250A Series
NVD VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-10828 MEDIUM This Month

Format string exploitation in Moxa NPort W2150A-W4/W2250A-W4 and W2150A/W2250A series wireless serial device servers (firmware v1.5 and prior) allows network-accessible, authenticated administrators to leak arbitrary stack memory through the web management interface. The 'alias' parameter on the Serial Param configuration page passes attacker-controlled input directly to a printf-family function without sanitization, violating CWE-134. The disclosed memory contents can be used to defeat ASLR, making this vulnerability a likely prerequisite stepping-stone to CVE-2026-10829 (stack-based buffer overflow) documented in the same Moxa advisory MPSA-261910. No public exploit and no CISA KEV listing are identified at time of analysis.

Information Disclosure Nport W2150A W4 W2250A W4 Series Nport W2150A W2250A Series
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
EPSS 0% CVSS 8.6
HIGH This Week

Remote code execution in Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier allows authenticated administrators to corrupt memory by submitting an overlong 'Server location' value on the Basic settings page of the web management interface, yielding root-level command execution on the embedded serial device server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Moxa has issued advisory MPSA-261910 confirming the flaw. The companion CVE-2026-10828 (format string) was disclosed in the same advisory, suggesting the web management stack received broader scrutiny.

RCE Stack Overflow Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Format string exploitation in Moxa NPort W2150A-W4/W2250A-W4 and W2150A/W2250A series wireless serial device servers (firmware v1.5 and prior) allows network-accessible, authenticated administrators to leak arbitrary stack memory through the web management interface. The 'alias' parameter on the Serial Param configuration page passes attacker-controlled input directly to a printf-family function without sanitization, violating CWE-134. The disclosed memory contents can be used to defeat ASLR, making this vulnerability a likely prerequisite stepping-stone to CVE-2026-10829 (stack-based buffer overflow) documented in the same Moxa advisory MPSA-261910. No public exploit and no CISA KEV listing are identified at time of analysis.

Information Disclosure Nport W2150A W4 W2250A W4 Series Nport W2150A W2250A Series
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy