Login Sign Up

CVE-2016-9361

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to brute-force administrative passwords on affected Moxa NPort serial device servers without authentication. It affects multiple NPort series devices running outdated firmware versions. Attackers can gain administrative access to these industrial control system devices.

💻 Affected Systems

Products:
  • Moxa NPort 5110
  • NPort 5130/5150 Series
  • NPort 5200 Series
  • NPort 5400 Series
  • NPort 5600 Series
  • NPort 5100A Series
  • NPort P5150A
  • NPort 5200A Series
  • NPort 5150AI-M12 Series
  • NPort 5250AI-M12 Series
  • NPort 5450AI-M12 Series
  • NPort 5600-8-DT Series
  • NPort 5600-8-DTL Series
  • NPort 6x50 Series
  • NPort IA5450A
Versions: Versions prior to those specified in CVE description (e.g., prior to 2.6 for NPort 5110)
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All affected devices with default or weak passwords are vulnerable. The vulnerability exists in the web administration interface.

📦 What is this software?

Nport 5100 Series Firmware by Moxa

View all CVEs affecting Nport 5100 Series Firmware →

Nport 5100 Series Firmware by Moxa

View all CVEs affecting Nport 5100 Series Firmware →

Nport 5100a Series Firmware by Moxa

View all CVEs affecting Nport 5100a Series Firmware →

Nport 5200 Series Firmware by Moxa

View all CVEs affecting Nport 5200 Series Firmware →

Nport 5200a Series Firmware by Moxa

View all CVEs affecting Nport 5200a Series Firmware →

Nport 5400 Series Firmware by Moxa

View all CVEs affecting Nport 5400 Series Firmware →

Nport 5600 8 Dtl Series Firmware by Moxa

View all CVEs affecting Nport 5600 8 Dtl Series Firmware →

Nport 5600 Series Firmware by Moxa

View all CVEs affecting Nport 5600 Series Firmware →

Nport 5x50a1 M12 Series Firmware by Moxa

View all CVEs affecting Nport 5x50a1 M12 Series Firmware →

Nport 6100 Series Firmware by Moxa

View all CVEs affecting Nport 6100 Series Firmware →

Nport P5150a Series Firmware by Moxa

View all CVEs affecting Nport P5150a Series Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative compromise of industrial serial devices leading to disruption of industrial processes, data exfiltration, or lateral movement into OT networks.

🟠

Likely Case

Unauthorized administrative access to serial devices allowing configuration changes, service disruption, or credential harvesting.

🟢

If Mitigated

Limited impact if devices are isolated, have strong passwords, and network access controls prevent unauthorized connections.

🌐 Internet-Facing: HIGH - Devices exposed to internet can be brute-forced without authentication, leading to complete compromise.
🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this, but requires network access to devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple brute-force attack against web interface. No authentication required to attempt password guesses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: See CVE description for specific version numbers per product series

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02

Restart Required: Yes

Instructions:

1. Download appropriate firmware update from Moxa website. 2. Backup device configuration. 3. Upload firmware via web interface or console. 4. Reboot device. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate NPort devices in separate VLANs with strict firewall rules limiting access to authorized management stations only.

Strong Password Enforcement

all

Implement complex, unique passwords for all administrative accounts and enable account lockout policies if supported.

🧯 If You Can't Patch

  • Implement network access controls to restrict connections to NPort devices from trusted IP addresses only
  • Monitor authentication logs for brute-force attempts and implement intrusion detection

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > System Info) or serial console, compare against patched versions in CVE description

Check Version:

Via web interface or serial console: show version or system info

Verify Fix Applied:

Confirm firmware version matches or exceeds patched version, test that password retry attempts now require authentication

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts from single source
  • Successful logins from unexpected IP addresses
  • Configuration changes without authorized change tickets

Network Indicators:

  • HTTP POST requests to login.cgi with varying password parameters
  • Unusual traffic patterns to NPort web interfaces

SIEM Query:

source_ip="NPort_IP" AND (event_type="authentication_failure" COUNT > 10 WITHIN 5min) OR (event_type="configuration_change" AND user NOT IN authorized_users)

📊 Metadata

CVE ID: CVE-2016-9361
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: February 13, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-9361, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2019-1867 10.0

This vulnerability allows unauthenticated remote attackers to bypass authentication on Cisco Elastic...

Same vulnerability type (CWE-287)