CVE-2026-10829

Vulnerability

A stack-based buffer overflow vulnerability exists in the NPort W2150A-W4/W2250A-W4 Series serial device servers, version 1.5 and earlier. The flaw is located in the "Server location" parameter on the Basic settings page of the web service. It stems from insufficient input validation of user-supplied input, allowing an attacker to trigger memory corruption by sending crafted data to the parameter [1].

Exploitation

To exploit this vulnerability, an attacker must be able to send crafted input to the web service of the affected device. No authentication is mentioned as required for access to the Basic settings page, suggesting the page may be accessible without prior login. The attacker provides a specially crafted string into the "Server location" parameter, which is then processed without proper bounds checking, leading to a stack-based buffer overflow [1].

Impact

Successful exploitation of this buffer overflow could allow an attacker to achieve remote code execution on the target system. The advisory states that the attacker gains root privileges on the device, resulting in a complete compromise of the system's confidentiality, integrity, and availability [1].

Mitigation

As of the advisory release date (June 16, 2026), the vendor Moxa has not yet released a fixed firmware version. Users are urged to apply security updates as soon as they become available. No workarounds are mentioned in the available references [1]. The advisory notes the high severity and recommends immediate action to reduce risk.