CVE-2016-9361 in NPort
Summary
by MITRE
An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. Administration passwords can be retried without authenticating.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability identified as CVE-2016-9361 affects multiple Moxa NPort series industrial network devices, representing a critical authentication flaw that undermines the security posture of these network infrastructure components. This issue specifically impacts versions of NPort 5110, 5130/5150, 5200, 5400, 5600, 5100A, 5200A, 5150AI-M12, 5250AI-M12, 5450AI-M12, 5600-8-DT, 5600-8-DTL, 6x50, and IA5450A series devices prior to their respective security updates. The flaw manifests in the authentication mechanism where administrative passwords can be retried without proper authentication, creating a significant security risk for industrial control systems that rely on these devices for network connectivity and management.
This vulnerability falls under the category of weak authentication mechanisms and can be classified as CWE-305 Authentication Bypass. The technical flaw resides in the device's authentication protocol implementation where the system fails to properly validate authentication attempts or maintain proper session state management. When administrators attempt to access the device's management interface, the system allows repeated password attempts without requiring proper authentication, effectively enabling unauthorized access through brute force or dictionary attack methods. The root cause appears to be an insufficient validation of authentication attempts, where the system does not properly enforce authentication failure limits or session management controls.
The operational impact of this vulnerability is severe for industrial environments where these devices are deployed, particularly in critical infrastructure sectors such as manufacturing, energy, and water treatment facilities. Attackers can exploit this weakness to gain unauthorized administrative access to network devices, potentially leading to complete network compromise, data exfiltration, or disruption of industrial processes. The vulnerability is particularly dangerous because it allows attackers to repeatedly attempt password guesses without triggering account lockout mechanisms or rate limiting controls that would normally prevent automated attack attempts. This creates an environment where attackers can systematically work through password lists or generate random password combinations until successful access is achieved, potentially leading to full system compromise and unauthorized network control.
From a threat modeling perspective, this vulnerability aligns with several ATT&CK techniques including T1078 Valid Accounts for maintaining persistence and T1110 Brute Force for credential access. The attack surface is broad given the multiple affected device series, and the impact extends beyond individual device compromise to potentially affect entire industrial networks. Organizations should implement immediate mitigations including applying the vendor-provided security patches for all affected device versions, implementing network segmentation to limit access to these devices, and establishing robust monitoring for unauthorized access attempts. Additionally, network administrators should consider implementing additional authentication controls such as multi-factor authentication where possible, and ensure that administrative access is restricted to authorized personnel only through proper network access controls and firewall rules. The vulnerability highlights the critical importance of maintaining up-to-date firmware in industrial network equipment and demonstrates the risks associated with legacy systems that may not receive ongoing security updates.