Home

Description

A format string vulnerability has been found in the "alias" parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and improper handling of externally supplied format strings. An attacker could exploit this vulnerability by sending crafted input to the web service, causing unintended memory disclosure. Successful exploitation may allow an attacker to leak sensitive memory contents and determine critical memory addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-16 | Updated 2026-06-16 | Assigner Moxa




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-134: Use of Externally-Controlled Format String

Product status

Default status
unaffected

1.0 (custom)
affected

Default status
unaffected

1.0 (custom)
affected

Credits

Remi ONNO of CS GROUP France (Sopra Steria Group) finder

References

www.moxa.com/...mat-string-and-stack-based-buffer-overflow-v vendor-advisory

cve.org (CVE-2026-10828)

nvd.nist.gov (CVE-2026-10828)

Download JSON