PatchSiren cyber security CVE debrief
CVE-2026-10828 Moxa CVE debrief
A format string vulnerability has been found in the 'alias' parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and improper handling of externally supplied format strings. An attacker could exploit this vulnerability by sending crafted input to the web service, causing unintended memory disclosure. Successful exploitation may allow an attacker to leak sensitive memory contents and determine critical memory addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections.
- Vendor
- Moxa
- Product
- NPort W2150A-W4/W2250A-W4 Series
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Administrators and users of Moxa NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior should apply patches or mitigations to prevent exploitation.
Technical summary
The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. It is identified as CWE-134, Use of Externally-Controlled Format String.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates provided by the vendor to address the format string vulnerability.
- Implement input validation and sanitization for user-supplied input.
- Monitor network traffic and system logs for suspicious activity.
Evidence notes
The CVE record and details were obtained from the official CVE website and the National Vulnerability Database (NVD).
Official resources
-
CVE-2026-10828 CVE record
CVE.org
-
CVE-2026-10828 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-10828 was published on 2026-06-16T12:16:24.920Z and has not been modified since then.