Advantech WebAccess Node

Act Now9.8ICS-CERT ICSA-20-128-01May 7, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Advantech WebAccessNode (input validation, buffer overflows, SQL injection) allow unauthenticated remote code execution, information disclosure, and denial of service. Affected versions: 8.4.4 and earlier, 9.0.0. Attacker can send crafted requests over the network without authentication to execute arbitrary code on the device. Vendor has released patch versions 8.4.4.P0320844 and 9.0.0.P0320900 to address the issues. No public exploits are currently known, but the vulnerability has high exploit probability (EPSS 31.4%).

What this means

What could happen

An attacker could execute arbitrary code on WebAccess Node devices, potentially altering monitoring and control functions across your SCADA/HMI infrastructure. This could result in unauthorized changes to process setpoints, loss of visibility into critical operations, or denial of service.

Who's at risk

Water and electric utilities using Advantech WebAccess Node for SCADA/HMI monitoring and control. The vulnerability affects both the current version 9.0.0 and legacy version 8.4.4 and earlier, impacting any deployment used for remote monitoring of pumps, generators, switches, and other critical infrastructure equipment.

How it could be exploited

An attacker on the network or internet can send a malicious request to the WebAccess Node without authentication due to multiple input validation and memory safety vulnerabilities (CWE-129, CWE-23, CWE-89, CWE-121, CWE-122, CWE-125). This could lead to buffer overflow or SQL injection, allowing remote code execution on the device.

Prerequisites

Network access to WebAccess Node (port/service dependent on deployment)
No authentication required
Ability to send HTTP/network traffic to the device

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (31.4%)Multiple memory safety and input validation vulnerabilitiesNo fix available for version 9.0.0 users initially released without patches

Exploitability

High exploit probability (EPSS 31.4%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

WebAccess Node:9.0.0No fix yet

WebAccess Node:≤ 8.4.4No fix yet

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGPlace WebAccess Node devices behind a firewall and isolate from business network and Internet

HARDENINGRestrict network access to WebAccess Node to only authorized monitoring and engineering workstations

HARDENINGDuring installation, configure a strong password for RPC calls (do not leave blank)

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WebAccessNode Version 8.4.4 to patch level P0320844 or later

HOTFIXUpdate WebAccessNode Version 9.0.0 to patch level P0320900 or later

WORKAROUNDIf remote access is required, implement VPN with strong authentication and encryption, kept current

CVEs (8)

CVE-2020-12022 CVE-2020-12010 CVE-2020-12006 CVE-2020-12026 CVE-2020-12014 CVE-2020-12002 CVE-2020-10638 CVE-2020-12018

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/01450735-b7af-4289-ad1a-d63cf56eba96