Advantech WISE-PaaS/RMM

Act Now9.8ICS-CERT ICSA-19-304-01Oct 31, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Advantech WISE-PaaS/RMM version 3.3.29 and earlier contains multiple vulnerabilities including path traversal (CWE-22), missing access controls (CWE-862), XML external entity injection (CWE-611), and SQL injection (CWE-89). These flaws allow attackers to disclose information, execute remote code, and compromise system availability. The product was phased out by Advantech in July 2019 and replaced with EdgeSense and DeviceOn.

What this means

What could happen

An attacker could read sensitive files from the server, execute arbitrary code on the RMM platform, or cause the remote monitoring and management system to stop functioning. This could disrupt visibility into and control of connected edge devices and industrial equipment.

Who's at risk

Organizations using Advantech WISE-PaaS/RMM for remote monitoring and management of industrial edge devices and IoT sensors. This includes facilities in manufacturing, energy, water utilities, and building automation that rely on the RMM platform to monitor and manage distributed equipment.

How it could be exploited

An attacker can send a malicious HTTP request over the network to port 1880/TCP without authentication. The request could exploit path traversal to read files, SQL injection to query the database, or XML injection to load external entities. Successful exploitation allows the attacker to run commands or retrieve sensitive information stored on the RMM server.

Prerequisites

Network access to port 1880/TCP
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch availableend-of-life product

Exploitability

Moderate exploit probability (EPSS 3.5%)

Affected products (1)

ProductAffected VersionsFix Status

WISE-PaaS/RMM:≤ 3.3.29No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXMigrate from WISE-PaaS/RMM to Advantech EdgeSense or DeviceOn replacement products

WORKAROUNDBlock or restrict access to port 1880/TCP at the firewall; only allow connections from authorized management networks

HARDENINGImplement network segmentation to isolate the RMM platform from the business network and Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGRestrict access to the RMM platform using the principle of least privilege; limit user accounts and remove unnecessary permissions

HARDENINGIf remote access to RMM is required, use a VPN and ensure it is updated to the latest version

CVEs (4)

CVE-2019-13551 CVE-2019-13547 CVE-2019-18227 CVE-2019-18229

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ca45c06b-f532-474b-8521-8f1a5a0ad460