Advantech iView

Act Now9.8ICS-CERT ICSA-21-040-02Feb 9, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Advantech iView versions below 5.7.03.6112 contain SQL injection (CWE-89), arbitrary file read (CWE-22), and missing access controls (CWE-306) vulnerabilities that allow an attacker to disclose sensitive information, escalate privileges to Administrator level, and remotely execute arbitrary commands with no authentication required.

What this means

What could happen

An attacker with network access to iView could execute arbitrary commands with Administrator privileges, read sensitive files, escalate privileges, or disclose configuration data. This could allow manipulation of monitored systems, theft of credentials, or disruption of visibility into critical operations.

Who's at risk

Water utilities, electric utilities, and any industrial facility using Advantech iView for SCADA/HMI monitoring and control. This centralized monitoring platform is typically used to oversee PLCs, RTUs, and field devices across the network. Compromise could affect real-time visibility and control of critical infrastructure.

How it could be exploited

An attacker on the network reaches iView via its web interface or API (port 80/443 likely). The SQL injection (CWE-89) or path traversal (CWE-22) vulnerabilities allow bypassing authentication (CWE-306 - missing access controls). Once authenticated or unauthenticated depending on exposure, the attacker executes commands on the iView server, gaining Administrator access and ability to manipulate monitored devices or exfiltrate data.

Prerequisites

Network reachability to iView application port (HTTP/HTTPS)
No valid credentials required for initial exploitation (CWE-306 indicates missing authentication)
iView version below 5.7.03.6112

Remotely exploitableNo authentication requiredLow complexity exploitationHigh EPSS score (40.9%)Multiple vulnerability types (SQL injection, path traversal, missing access controls)

Exploitability

High exploit probability (EPSS 40.9%)

Affected products (1)

ProductAffected VersionsFix Status

iView:< 5.7.03.61125.7.03.6112

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to iView to authorized engineering/operations staff only using firewall rules; do not expose to the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Advantech iView to version 5.7.03.6112 or later

Long-term hardening

0/2

HARDENINGIsolate iView and monitored control system devices on a dedicated network segment behind firewalls, separate from business network

HARDENINGIf remote access to iView is required, route all traffic through a VPN with current security updates

CVEs (4)

CVE-2021-22654 CVE-2021-22658 CVE-2021-22656 CVE-2021-22652

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c0395bf6-2ed5-4699-8dc0-3e5189b449f6