OTPulse
FeedAboutContact

Advantech WebAccess

Plan Patch7.1ICS-CERT ICSA-17-124-03May 4, 2017
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Advantech WebAccess versions 8.1 and earlier contain a path traversal and denial of service vulnerability (CWE-36). The application fails to properly validate input parameters, allowing an authenticated user to read arbitrary files or crash the WebAccess service. This could compromise confidentiality of configuration and operational data or disrupt access to critical monitoring and control interfaces.

What this means
What could happen
An attacker with valid login credentials could cause denial of service (system unavailability) or read sensitive data from your WebAccess application, disrupting monitoring and control of your industrial processes.
Who's at risk
Water utilities and electric utilities running Advantech WebAccess for SCADA monitoring and HMI (human-machine interface) functions. This affects operations staff, field technicians, and any control system that relies on WebAccess for remote monitoring or configuration.
How it could be exploited
An attacker on your network with valid WebAccess user credentials sends a specially crafted request to the WebAccess application. The application fails to properly validate the input, allowing the attacker to either crash the service or read files outside the intended application directory.
Prerequisites
  • Network access to WebAccess application (TCP port, typically 80 or 443)
  • Valid WebAccess user account credentials
  • Knowledge of the vulnerable input handling mechanism
remotely exploitablerequires valid credentialslow complexityaffects monitoring and control visibilityallows denial of service
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (1)
ProductAffected VersionsFix Status
WebAccess:≤ 8.18.2_20170330
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDRestrict network access to WebAccess to only authorized engineering and operations staff using firewall rules and VPN segmentation
HARDENINGEnforce strong, unique passwords for all WebAccess user accounts and disable default accounts if present
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade WebAccess to version 8.2_20170330 or later
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate WebAccess from less-trusted networks and untrusted users
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b5455f17-c397-462f-9fc3-e89f65594a28
Advantech WebAccess | CVSS 7.1 - OTPulse