CVE-2026-10828
MediumCVSS 6.9Summary
A format string vulnerability has been found in the 'alias' parameter of the Serial Param configuration page in NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This issue arises from insufficient input validation and improper handling of externally supplied format strings.
Risk Assessment
An attacker could exploit this vulnerability to leak sensitive memory contents and determine critical memory addresses, potentially bypassing ASLR protections.
Recommendation
It is recommended to update the devices to the latest software version to eliminate this vulnerability and implement additional input validation security mechanisms.
Original NVD description (English source)
A format string vulnerability has been found in the "alias" parameter of the Serial Param configuration page in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and prior. This vulnerability stems from insufficient input validation and improper handling of externally supplied format strings. An attacker could exploit this vulnerability by sending crafted input to the web service, causing unintended memory disclosure. Successful exploitation may allow an attacker to leak sensitive memory contents and determine critical memory addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections.

