CVE-2026-10825: Improper JSON Input Validation in WebSocket API Leads to Denial of Service
A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- 1.2.0
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a denial-of-service vulnerability in the WebSocket API of the Moxa NPort 6000-G2 Series firmware (versions 1.1.0 and earlier). The API fails to properly validate incoming JSON payloads, and an attacker with a low-privileged account can send a specially crafted WebSocket request over the network to trigger the flaw. Successful exploitation crashes the affected service and may force an unexpected device reboot. A patched-image rebuild at version 1.2.0 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images derived from affected Moxa firmware layers.
AvailableHarborGuard scores this CVE at 7.1 HIGH using the CVSS v4.0 vector and is capable of applying per-environment compliance policy weighting to prioritize routing, ensuring the finding reaches the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild at version 1.2.0 is available on HarborGuard for any environment found running an affected version (1.1.0 or earlier). For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests against the updated image, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the WebSocket API over the network; the service must be exposed to the attacker's network segment.
- AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative or elevated credentials.
- Victim interactionNot required
No user interaction is needed; the attacker sends the crafted request directly to the API without involving another user.
- Attack complexityDetail
Exploit complexity is low, meaning the attack is reliable and requires no special race conditions or specific environmental prerequisites.
Blast Radius
- Crashes the WebSocket API service on the targeted NPort 6000-G2 device.
- Triggers an unexpected device reboot, interrupting all serial-to-network communication routed through the device.
- Sustained repeated requests can keep the device in a reboot loop, causing prolonged availability loss for downstream systems depending on the device.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any customer image built on affected NPort 6000-G2 firmware (1.1.0 or earlier). A rebuilt image at the fixed version (1.2.0) is available for affected environments. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, executes a regression-test run against the new image, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and test results are staged and waiting for reviewer action. Customers who cannot upgrade immediately should consider restricting network access to the WebSocket API port via network policy or firewall rules to limit exposure until the patched image is deployed.
Fix available
- Moxa / NPort 6000-G2 Series≤ 1.1.0Fixed in 1.2.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N