Nport W2150A W2250A Series
Monthly
Remote code execution in Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier allows authenticated administrators to corrupt memory by submitting an overlong 'Server location' value on the Basic settings page of the web management interface, yielding root-level command execution on the embedded serial device server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Moxa has issued advisory MPSA-261910 confirming the flaw. The companion CVE-2026-10828 (format string) was disclosed in the same advisory, suggesting the web management stack received broader scrutiny.
Format string exploitation in Moxa NPort W2150A-W4/W2250A-W4 and W2150A/W2250A series wireless serial device servers (firmware v1.5 and prior) allows network-accessible, authenticated administrators to leak arbitrary stack memory through the web management interface. The 'alias' parameter on the Serial Param configuration page passes attacker-controlled input directly to a printf-family function without sanitization, violating CWE-134. The disclosed memory contents can be used to defeat ASLR, making this vulnerability a likely prerequisite stepping-stone to CVE-2026-10829 (stack-based buffer overflow) documented in the same Moxa advisory MPSA-261910. No public exploit and no CISA KEV listing are identified at time of analysis.
Remote code execution in Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier allows authenticated administrators to corrupt memory by submitting an overlong 'Server location' value on the Basic settings page of the web management interface, yielding root-level command execution on the embedded serial device server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Moxa has issued advisory MPSA-261910 confirming the flaw. The companion CVE-2026-10828 (format string) was disclosed in the same advisory, suggesting the web management stack received broader scrutiny.
Format string exploitation in Moxa NPort W2150A-W4/W2250A-W4 and W2150A/W2250A series wireless serial device servers (firmware v1.5 and prior) allows network-accessible, authenticated administrators to leak arbitrary stack memory through the web management interface. The 'alias' parameter on the Serial Param configuration page passes attacker-controlled input directly to a printf-family function without sanitization, violating CWE-134. The disclosed memory contents can be used to defeat ASLR, making this vulnerability a likely prerequisite stepping-stone to CVE-2026-10829 (stack-based buffer overflow) documented in the same Moxa advisory MPSA-261910. No public exploit and no CISA KEV listing are identified at time of analysis.