Advantech WISE-PaaS RMM
Act Now9.1ICS-CERT ICSA-21-124-01May 4, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
WISE-PaaS/RMM contains a hardcoded or weak credential vulnerability (CWE-798) that allows an attacker with network access to obtain sensitive information such as credentials and system configuration. Advantech has declared RMM end-of-life and will not issue patches. The vulnerability affects all versions below 3.3.29, but no patched version exists.
What this means
What could happen
An attacker with network access to an unpatched WISE-PaaS/RMM device could extract sensitive information such as credentials or system configuration data. Since RMM is an end-of-life product with no patch available, affected organizations must implement network isolation or replace the device entirely.
Who's at risk
Water authorities and electric utilities using Advantech WISE-PaaS/RMM for remote device monitoring should prioritize this advisory. RMM is commonly deployed to monitor RTUs, distributed I/O nodes, and remote substations. Any organization that has not replaced this end-of-life product is at risk.
How it could be exploited
An attacker on the network sends crafted requests to the WISE-PaaS/RMM device exploiting hardcoded or weak credential handling (CWE-798). The device returns sensitive data without proper authentication or encryption checks. No user interaction is required.
Prerequisites
- Network access to WISE-PaaS/RMM device port (typically HTTP/HTTPS)
- Device must be reachable from attacker's network segment (no firewall block)
remotely exploitableno authentication requiredlow complexityno patch availableend-of-life product
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
WISE-PaaS/RMM:< 3.3.29No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGIsolate WISE-PaaS/RMM behind a firewall; do not expose to Internet or untrusted networks
HARDENINGIf remote access is required, route all traffic through a VPN and restrict access by IP address to engineering workstations only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXReplace WISE-PaaS/RMM with Advantech WISE-DeviceOn or another supported remote monitoring solution
Mitigations - no patch available
0/1WISE-PaaS/RMM: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment RMM device onto a dedicated management network separate from process control and business networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/859e78a7-4356-4cf0-ad9c-e94d80fec02d