Advantech WebAccess/SCADA

Monitor5.4ICS-CERT ICSA-21-075-01Mar 16, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

WebAccess/SCADA version 9.0 and earlier contains a cross-site scripting (XSS) vulnerability that allows an unauthorized attacker to steal a user's session cookie/token or redirect an authorized user to a malicious webpage. This is a reflected XSS vulnerability triggered when a user clicks a crafted malicious link while authenticated to the system.

What this means

What could happen

An attacker could steal an operator's session token or hijack a web browser session, potentially allowing unauthorized access to the SCADA system and the ability to view or alter process parameters and operational status.

Who's at risk

This affects operators and system administrators of Advantech WebAccess/SCADA systems in energy sector organizations (electric utilities, generation plants, substations) who rely on web-based remote access to monitor and control power generation, distribution, or substation equipment.

How it could be exploited

An attacker crafts a malicious web link containing JavaScript code (stored in the vulnerability) and tricks an operator into clicking it or visiting a compromised webpage. When the operator's browser loads the page, the JavaScript executes in the context of the WebAccess/SCADA application, stealing the session cookie or redirecting the operator to a phishing page.

Prerequisites

Operator must click a malicious link or visit a compromised webpage while authenticated to WebAccess/SCADA
WebAccess/SCADA running version 9.0 or earlier
Valid operator account (social engineering required to trick user into clicking link)

remotely exploitableno authentication required (attacker sends link; victim must be logged in)low complexityaffects SCADA operator access and process visibilitysocial engineering required

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess/SCADA:≤ 9.09.0.1 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement email filtering and user awareness training to reduce social engineering risk (phishing/malicious link clicks)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WebAccess/SCADA to version 9.0.1 or later

HARDENINGDeploy web application firewall (WAF) rules to detect and block XSS injection patterns in WebAccess/SCADA traffic

Long-term hardening

0/1

HARDENINGSegment WebAccess/SCADA network access; restrict operator workstations to only communicate with the application server

CVEs (1)

CVE-2021-27436

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/90be1e0c-f9da-44c1-8a8b-368916d809cb