Advantech WebAccess

Act Now9.8ICS-CERT ICSA-19-260-01Sep 17, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Advantech WebAccess versions 8.4.1 and earlier contain multiple vulnerabilities (CWE-94, CWE-77, CWE-121, CWE-285) that allow unauthenticated remote attackers to execute arbitrary code with system-level privileges, access sensitive files, and delete data. Successful exploitation could allow attackers to modify control parameters, disrupt plant operations, or steal operational data. No known public exploits currently exist, but the vulnerabilities are easily discoverable and exploitable over the network.

What this means

What could happen

An attacker could execute arbitrary code on WebAccess servers with system-level privileges, allowing them to modify control logic, steal operational data, or disrupt monitoring and supervisory functions across connected industrial devices.

Who's at risk

Water utilities, electric utilities, and any organization using Advantech WebAccess (version 8.4.1 and earlier) for SCADA monitoring and control. Affects supervisory software that manages PLCs, RTUs, and other industrial devices across the plant network.

How it could be exploited

An unauthenticated attacker on the network can send a malicious request to WebAccess (CWE-94: unsafe code execution, CWE-77: improper command handling). The vulnerability bypasses access controls (CWE-285) and can trigger buffer overflows (CWE-121), resulting in arbitrary code execution with system privileges.

Prerequisites

Network access to WebAccess server (HTTP/HTTPS port)
No authentication required
No user interaction needed

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS (9.8)Affects supervisory control systemsNetwork-reachableArbitrary code execution as system user

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess:≤ 8.4.18.4.2

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate WebAccess servers from the Internet and business network; place behind firewall with strict inbound access rules

HARDENINGRestrict network access to WebAccess to only authorized engineering workstations and control system devices; use allow-list rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WebAccess to version 8.4.2 or later

WORKAROUNDIf remote access is required, implement VPN with current patches and multi-factor authentication for engineering access

CVEs (4)

CVE-2019-13558 CVE-2019-13552 CVE-2019-13556 CVE-2019-13550

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b39291b0-fd8b-441b-b124-8effd037d40e