Advantech WebAccess Vulnerabilities

Act NowCVSS 9.8ICS-CERT ICSA-16-014-01Oct 17, 2016

Advantech

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Advantech WebAccess versions 8.0 and earlier contain multiple critical vulnerabilities including buffer overflows (CWE-121, CWE-122, CWE-119), SQL injection (CWE-89), cross-site scripting (CWE-79), path traversal (CWE-22), unrestricted file upload (CWE-434), missing authentication (CWE-284), and improper input validation (CWE-20). These vulnerabilities allow remote attackers to bypass authentication, execute arbitrary code, access sensitive data, and manipulate industrial device configurations without authentication or user interaction.

What this means

What could happen

An attacker could remotely gain administrative control of Advantech WebAccess and issue arbitrary commands to connected industrial devices, potentially disrupting or altering critical plant operations including SCADA systems, PLCs, and remote terminal units.

Who's at risk

Water utilities, electric utilities, and manufacturing plants using Advantech WebAccess for SCADA monitoring and control of PLCs, RTUs, and other industrial devices. This includes any operation relying on WebAccess for remote monitoring or automated alarming.

How it could be exploited

An attacker with network access to the WebAccess server could exploit multiple input validation and injection vulnerabilities to bypass authentication, upload malicious code, or execute arbitrary SQL commands. The low-complexity attack requires no user interaction and could allow the attacker to modify process parameters or shut down equipment.

Prerequisites

Network access to WebAccess application port (typically 80/443)
WebAccess version 8.0 or earlier deployed
No network segmentation isolating WebAccess from untrusted networks

remotely exploitableno authentication requiredlow complexityhigh EPSS score (72.2%)no patch availableaffects critical industrial control systemsmultiple critical input validation flaws

Exploitability

Likely to be exploited — EPSS score 72.2%

Metasploit module available — weaponized exploitView module ↗

Affected products (1)

ProductAffected VersionsFix Status

WebAccess: <=8.0≤ 8.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate WebAccess servers from the Internet and untrusted network segments using a firewall or demilitarized zone (DMZ); restrict inbound connections to authorized IP addresses and engineering workstations only

HARDENINGImplement network monitoring and intrusion detection rules to detect SQL injection and file upload attempts targeting WebAccess

WORKAROUNDDisable unnecessary WebAccess features and services that are not required for plant operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement strong access controls and multi-factor authentication for all WebAccess administrative accounts

Long-term hardening

0/1

HOTFIXEvaluate replacement or decommissioning of WebAccess 8.0 and earlier versions; contact Advantech for guidance on end-of-life products and upgrade paths to newer versions with security patches

CVEs (15)

CVE-2016-0851 CVE-2016-0854 CVE-2016-0855 CVE-2016-0856 CVE-2016-0857 CVE-2016-0858 CVE-2016-0859 CVE-2016-0860 CVE-2016-0852 CVE-2016-0853 CVE-2015-3948 CVE-2015-3947 CVE-2015-3946 CVE-2015-6467 CVE-2015-3943

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f5a485f2-6ad4-441d-9679-677d02fba80a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.