CVE-2026-10828

Vulnerability

A format string vulnerability exists in the alias parameter of the Serial Param configuration page on NPort W2150A-W4/W2250A-W4 Series devices running firmware version 1.5 and prior [1]. The vulnerability stems from insufficient input validation and improper handling of externally supplied format strings, allowing an attacker to inject format specifiers into the web service [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted input containing format string specifiers to the alias parameter via the web service [1]. No authentication is required; network access to the device's web interface is sufficient. The attacker sends a malicious HTTP request to trigger the format string processing.

Impact

Successful exploitation leads to unintended memory disclosure [1]. The attacker can leak sensitive memory contents and determine critical memory addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections [1]. This information leakage could aid in further attacks against the device.

Mitigation

Moxa has released security advisory MPSA-261910 addressing this vulnerability [1]. The advisory urges users to apply solutions immediately, but no specific fixed version is mentioned in the available reference [1]. Users should check Moxa's support site for firmware updates. No workaround is documented. The vulnerability is not listed on CISA KEV as of the advisory date.