Advantech WebAccess/SCADA
Monitor5.3ICS-CERT ICSA-18-023-01Jan 23, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Advantech WebAccess/SCADA contains path traversal (CWE-22) and SQL injection (CWE-89) vulnerabilities in versions prior to 8.3.0. These vulnerabilities allow unauthenticated remote attackers to read arbitrary files from the system or execute SQL queries against the database, potentially exposing SCADA configuration data and operational parameters.
What this means
What could happen
An attacker could read sensitive files or data from the WebAccess/SCADA system, potentially exposing SCADA configuration or operational data from your industrial control network.
Who's at risk
Energy sector operators using Advantech WebAccess/SCADA for SCADA monitoring and control systems. This affects organizations that have deployed WebAccess/SCADA versions before 8.3.0 as a supervisory control or data acquisition interface.
How it could be exploited
An attacker on the network can send specially crafted requests to the WebAccess/SCADA interface without authentication. By manipulating file paths (path traversal) or injecting SQL commands, the attacker can bypass access controls and retrieve files or query the database directly.
Prerequisites
- Network access to the WebAccess/SCADA web interface
- No authentication required
- WebAccess/SCADA version prior to 8.3.0 deployed
remotely exploitableno authentication requiredlow complexitypath traversal vulnerabilitySQL injection vulnerability
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (1)
ProductAffected VersionsFix Status
WebAccess/SCADA:< 8.2 201708178.3.0
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate WebAccess/SCADA to version 8.3.0 or later
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b02cadb1-0f08-46e8-b3ee-61e5184dc5e6