CVE-2016-9369 in Moxa
Summary
by MITRE
An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4. Firmware can be updated over the network without authentication, which may allow remote code execution.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
This vulnerability resides in Moxa network infrastructure devices across multiple series including NPort 5110, 5130/5150, 5200, 5400, 5600, 5100A, 5200A, 5150AI-M12, 5250AI-M12, 5450AI-M12, 5600-8-DT, 5600-8-DTL, 6x50, and IA5450A models. The flaw represents a critical security weakness where firmware update functionality can be exploited without proper authentication mechanisms, creating a significant attack surface for malicious actors. This vulnerability directly maps to CWE-306, which describes missing authentication for critical functions, and aligns with ATT&CK technique T1072 for software deployment, specifically targeting network infrastructure devices. The vulnerability affects versions prior to specific firmware releases including 2.6, 3.6, 2.8, 3.11, 3.7, 1.3, 1.3, 1.2, 1.2, 1.2, 2.4, 2.4, and 1.13.11 respectively, indicating a widespread issue across multiple product lines.
The technical implementation of this vulnerability stems from the absence of proper authentication checks during the firmware update process. When devices receive firmware update requests over the network, they fail to validate the source or authenticate the update request, allowing any remote attacker to upload and execute malicious firmware. This creates a persistent backdoor condition where attackers can gain root-level access to the device, potentially compromising the entire network segment the device serves. The vulnerability is particularly concerning because it enables attackers to perform remote code execution without requiring physical access or prior credentials, making it highly attractive for threat actors targeting industrial control systems and network infrastructure.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it provides attackers with complete control over affected devices and potentially the broader network infrastructure they manage. Network administrators may find their devices compromised without detection, leading to potential data exfiltration, network disruption, or as a stepping stone for lateral movement within the network. The vulnerability's presence across multiple device series suggests that organizations with diverse Moxa deployments may face widespread compromise, potentially affecting critical network connectivity points and industrial automation systems. This vulnerability also violates fundamental security principles outlined in NIST SP 800-53, specifically targeting the authentication and access control controls that should prevent unauthorized firmware modifications.
Organizations should immediately implement network segmentation to isolate affected Moxa devices from critical network segments, ensuring that even if devices are compromised, the attack scope remains limited. Firmware updates should be applied immediately to all affected devices, with careful attention to the specific version requirements for each device series. Network monitoring should be enhanced to detect unusual firmware update activities or network traffic patterns that might indicate exploitation attempts. Additionally, implementing network access controls and firewalls to restrict firmware update access to authorized management systems will provide an additional layer of protection. Regular vulnerability assessments and penetration testing should be conducted to identify similar unauthenticated update mechanisms in other network infrastructure devices, as this vulnerability demonstrates a common security oversight in industrial network equipment.