CVE-2016-9369 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2016-9369?

CVE-2016-9369 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to update firmware on affected Moxa NPort serial device servers, potentially leading to remote code execution. It affects multiple NPort series with specific firmware versions. Organizations using these industrial networking devices are at risk.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to update firmware on affected Moxa NPort serial device servers, potentially leading to remote code execution. It affects multiple NPort series with specific firmware versions. Organizations using these industrial networking devices are at risk.

💻 Affected Systems

Products:

Moxa NPort 5110
NPort 5130/5150 Series
NPort 5200 Series
NPort 5400 Series
NPort 5600 Series
NPort 5100A Series
NPort P5150A
NPort 5200A Series
NPort 5150AI-M12 Series
NPort 5250AI-M12 Series
NPort 5450AI-M12 Series
NPort 5600-8-DT Series
NPort 5600-8-DTL Series
NPort 6x50 Series
NPort IA5450A

Versions: Versions prior to those specified in CVE description (e.g., NPort 5110 prior to 2.6, NPort 5130/5150 prior to 3.6, etc.)

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing remote code execution, device takeover, network pivoting to industrial control systems, and disruption of serial communications.

🟠

Likely Case

Unauthorized firmware modification leading to device malfunction, data interception, or persistent backdoor installation.

🟢

If Mitigated

Limited to denial of service if network segmentation prevents access, but device integrity remains compromised.

🌐 Internet-Facing: HIGH - Directly exploitable over network without authentication, CVSS 9.8 indicates critical risk.

🏢 Internal Only: HIGH - Even internally, lack of authentication makes devices vulnerable to any network-accessible attacker.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to device but no authentication. The vulnerability is straightforward - firmware update mechanism lacks authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: See CVE description for specific version per product series (e.g., NPort 5110 v2.6+, NPort 5130/5150 v3.6+, etc.)

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02

Restart Required: Yes

Instructions:

1. Identify affected device model and current firmware version. 2. Download appropriate firmware update from Moxa support portal. 3. Follow Moxa firmware update procedures for your specific device model. 4. Verify successful update and device functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate VLANs with strict firewall rules preventing external access.

Access Control Lists

all

Implement network ACLs to restrict access to device management interfaces to authorized IP addresses only.

🧯 If You Can't Patch

Physically isolate devices from any network access except required serial communications
Implement strict out-of-band monitoring for unauthorized firmware update attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or serial console and compare against patched versions listed in CVE.

Check Version:

Device-specific - typically via web interface at http://[device-ip] or serial console commands per device manual.

Verify Fix Applied:

Confirm firmware version matches or exceeds patched version specified for your device model.

📡 Detection & Monitoring

Log Indicators:

Unexpected firmware update events
Authentication bypass attempts to management interface
Device reboot events without scheduled maintenance

Network Indicators:

Unauthorized firmware update traffic to device ports
Unexpected connections to device management interfaces

SIEM Query:

source_ip OUTSIDE trusted_range AND dest_port IN (80,443,23) AND dest_ip IN affected_devices AND event_type='firmware_update'

📊 Metadata

CVE ID: CVE-2016-9369

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: February 13, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securityfocus.com/bid/85965 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02 Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/85965 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-9369, you might also want to check these: