CVE-2016-9366 in NPort
Summary
by MITRE
An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. An attacker can freely use brute force to determine parameters needed to bypass authentication.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability described in CVE-2016-9366 represents a critical authentication weakness affecting multiple Moxa network port server models across various series. This issue stems from insufficient authentication mechanisms that allow attackers to perform brute force attacks against the device's login interface, potentially enabling unauthorized access to network management functions. The affected devices span across several product lines including NPort 5110, 5130/5150, 5200, 5400, 5600, 5100A, 5200A, 5150AI-M12, 5250AI-M12, 5450AI-M12, 5600-8-DT, 5600-8-DTL, 6x50, and IA5450A series. The vulnerability manifests as a failure to implement proper account lockout mechanisms or rate limiting controls that would normally prevent automated brute force attempts from succeeding.
The technical flaw in these network devices lies in their authentication implementation which lacks adequate protections against repeated login attempts. Attackers can systematically try various username and password combinations without encountering account lockout mechanisms or temporary access restrictions that would normally deter automated attack tools. This weakness directly relates to CWE-307, which addresses insufficient account lockout mechanisms, and aligns with ATT&CK technique T1110.003 for Brute Force. The vulnerability enables attackers to potentially gain administrative access to the network port servers, which could provide them with complete control over the connected network devices and their communication channels. Network port servers serve as critical gateways between physical network devices and management systems, making unauthorized access particularly dangerous for industrial control systems and network infrastructure.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential network disruption and data compromise. Once an attacker successfully bypasses authentication, they can manipulate network configurations, monitor traffic, or even disrupt network operations entirely. This risk is particularly concerning in industrial environments where Moxa devices are commonly deployed for managing critical infrastructure connections. The vulnerability affects devices across multiple generations, indicating a systemic issue in the authentication implementation rather than isolated product defects. Organizations using these devices face significant risk of unauthorized access to their network management interfaces, potentially leading to service interruptions, data breaches, or even physical security compromises in environments where network connectivity directly impacts operational technology systems. The widespread nature of affected models suggests that many organizations may be unknowingly exposed to this risk across their network infrastructure.
The recommended mitigations for this vulnerability primarily focus on implementing immediate firmware updates to address the authentication weakness. Organizations should prioritize updating all affected Moxa devices to their latest firmware versions as provided by the vendor, which should include proper account lockout mechanisms and rate limiting controls. Network segmentation and access controls should be implemented to limit direct network access to these devices, while monitoring systems should be deployed to detect unusual authentication patterns that might indicate brute force attempts. Additional security measures include implementing strong password policies, enabling multi-factor authentication where possible, and restricting administrative access to only necessary personnel. The vulnerability also highlights the importance of regular security assessments and firmware update procedures for industrial network equipment, as these devices often operate in environments with limited network visibility and may remain unpatched for extended periods. Organizations should consider implementing network monitoring solutions that can detect and alert on failed authentication attempts, as this behavior would be indicative of exploitation attempts against the vulnerable authentication mechanisms.