Advantech iView

Act Now9.8ICS-CERT ICSA-20-196-01Jul 14, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Advantech iView versions 5.6 and earlier contain multiple vulnerabilities including SQL injection (CWE-89), path traversal (CWE-22), command injection (CWE-77), improper input validation (CWE-20), missing authentication (CWE-306), and insecure access control (CWE-284). Successful exploitation allows an attacker to read or modify information, execute arbitrary code, cause denial of service, or crash the application. No known public exploits currently target these vulnerabilities.

What this means

What could happen

An attacker with network access to iView could read or modify sensitive information, execute arbitrary commands on the system, or crash the application, disrupting monitoring and control of industrial processes.

Who's at risk

Water authorities and municipal utilities using Advantech iView for SCADA monitoring and control. This includes operators who rely on iView for real-time visibility into pumps, treatment processes, distribution systems, and power generation equipment.

How it could be exploited

An attacker on the network (no authentication required) sends malicious input to iView that exploits SQL injection, path traversal, or command injection flaws. The application processes the input without proper validation, allowing the attacker to execute arbitrary code or access sensitive data on the server.

Prerequisites

Network access to iView application (typically port 80/443)
No authentication required

remotely exploitableno authentication requiredlow complexityallows arbitrary code executionaffects monitoring and control systems

Exploitability

Moderate exploit probability (EPSS 3.0%)

Affected products (1)

ProductAffected VersionsFix Status

iView:≤ 5.65.7

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate iView and control system networks from the Internet and business networks using firewalls

HARDENINGRestrict network access to iView to authorized engineering and monitoring personnel only

HARDENINGIf remote access to iView is required, use a VPN with current security updates

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade iView to version 5.7 or later

CVEs (6)

CVE-2020-14497 CVE-2020-14507 CVE-2020-14505 CVE-2020-14503 CVE-2020-14501 CVE-2020-14499

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ced04627-00ca-4af9-b05d-4b1427f53fe1