CVE-2016-9365 in NPort
Summary
by MITRE
An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. Requests are not verified to be intentionally submitted by the proper user (CROSS-SITE REQUEST FORGERY).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability identified as CVE-2016-9365 represents a critical cross-site request forgery flaw affecting multiple Moxa NPort series network devices. This issue impacts a wide range of industrial network communication products including NPort 5110, 5130/5150, 5200, 5400, 5600, 5100A, 5200A, 5150AI-M12, 5250AI-M12, 5450AI-M12, 5600-8-DT, 5600-8-DTL, 6x50, and IA5450A series devices. The vulnerability stems from insufficient validation of incoming requests, allowing unauthorized users to perform actions on behalf of legitimate users without proper authentication. This flaw exists across multiple firmware versions, with specific patch requirements ranging from version 1.3 to 3.11 depending on the affected device series, highlighting the widespread nature of the vulnerability within Moxa's industrial networking portfolio.
The technical implementation of this cross-site request forgery vulnerability enables attackers to exploit the lack of proper request verification mechanisms within the device's web interface. When users access the device management interface, the system fails to validate whether requests originate from authenticated users or if they are legitimate submissions from the intended user. This weakness allows malicious actors to craft specially formatted requests that, when executed by an authenticated user's browser, can perform administrative actions such as changing network configurations, modifying user accounts, or altering system parameters. The vulnerability specifically affects the authentication and authorization mechanisms of the web-based management interface, creating a pathway for unauthorized modifications to critical network infrastructure. This flaw operates at the application layer and can be exploited through social engineering techniques where users are tricked into visiting malicious websites that automatically submit forged requests to the vulnerable device.
The operational impact of CVE-2016-9365 extends beyond simple unauthorized access, potentially compromising entire industrial network infrastructures. In industrial control systems and network communication environments, these devices serve as critical gateways for managing connectivity between different network segments. An attacker exploiting this vulnerability could gain persistent access to network management functions, potentially leading to network disruption, data interception, or unauthorized access to connected industrial systems. The vulnerability is particularly concerning in environments where these devices are exposed to untrusted networks or where user access controls are insufficient. The attack surface includes scenarios where users might be tricked into clicking malicious links while authenticated to the device management interface, making this vulnerability particularly dangerous in operational technology environments where continuous network availability is critical. This flaw aligns with CWE-352, which specifically addresses cross-site request forgery vulnerabilities, and represents a significant weakness in the device's web application security model.
Mitigation strategies for CVE-2016-9365 require immediate firmware updates to the affected device versions, with each series requiring specific patch versions as outlined in the vulnerability description. Organizations should prioritize updating all affected Moxa NPort devices to their respective patched versions, with the earliest patches available for NPort 5110 Series at version 2.6 and the latest for NPort 6x50 Series at version 1.13.11. Network segmentation and access control measures should be implemented to limit direct exposure of these devices to untrusted networks, including firewall rules that restrict access to device management interfaces to trusted IP addresses only. Additional security controls such as implementing multi-factor authentication for device access, disabling unnecessary web services, and conducting regular security audits of network device configurations should be considered. The vulnerability demonstrates the importance of proper input validation and request verification mechanisms, which aligns with ATT&CK technique T1190 for exploiting vulnerabilities in web applications and T1071.004 for application layer protocol usage in command and control communications. Organizations should also implement network monitoring to detect anomalous access patterns and unauthorized configuration changes that might indicate exploitation attempts.