CVE-2025-2026 is a vulnerability classified under CWE-170 (Improper Null Termination) found in the Moxa NPort 6100-G2 and 6200-G2 Series serial device servers, specifically version 1.0.0. The flaw resides in the device’s web API, where improper handling of null bytes allows an authenticated remote attacker with read-only web privileges to inject a null byte into API requests. This injection leads to improper string termination in the device’s processing logic, causing unexpected behavior that results in the device rebooting. The reboot disrupts normal device operation, causing a denial-of-service condition that can affect connected systems relying on these serial device servers for communication. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity and no additional privileges beyond read-only web access. The CVSS 4.0 score of 7.1 reflects the high impact on availability and the ease of exploitation. While no public exploits have been reported yet, the vulnerability poses a significant risk to environments where these devices are deployed, particularly in industrial control systems and critical infrastructure where uptime is crucial. The lack of available patches at the time of disclosure necessitates immediate mitigation through access controls and monitoring.

The primary impact of CVE-2025-2026 is on availability, as successful exploitation causes device reboots leading to denial-of-service conditions. For European organizations, particularly those in industrial automation, manufacturing, energy, and transportation sectors that rely on Moxa NPort 6100-G2/6200-G2 Series devices for serial-to-Ethernet communication, this can disrupt critical operational processes. Unexpected device reboots can interrupt data flows, control commands, and monitoring systems, potentially causing production downtime, safety risks, and financial losses. The requirement for only read-only web access lowers the barrier for exploitation, increasing risk. Given the role of these devices in critical infrastructure, the vulnerability could also have cascading effects on dependent systems. Although confidentiality and integrity impacts are not indicated, the availability disruption alone is significant. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

1. Restrict network access to the web API interface of Moxa NPort 6100-G2/6200-G2 devices using network segmentation, firewalls, and access control lists to limit exposure to trusted management hosts only. 2. Enforce strong authentication and monitor for unauthorized access attempts to the device’s web interface, even for read-only accounts. 3. Implement continuous monitoring and alerting for unexpected device reboots or abnormal behavior indicative of exploitation attempts. 4. Coordinate with Moxa for timely firmware updates or patches addressing this vulnerability and apply them as soon as they become available. 5. Where possible, disable or limit web API functionalities that are not essential to reduce the attack surface. 6. Conduct regular security assessments and penetration tests on industrial control system networks to identify and remediate similar vulnerabilities. 7. Maintain an incident response plan that includes procedures for handling device outages caused by such vulnerabilities to minimize operational impact.