Advantech WebAccess/SCADA (Update A)

Plan Patch7.3ICS-CERT ICSA-21-168-03Jun 17, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Advantech WebAccess/SCADA versions 9.0.1 and earlier contain two vulnerabilities: (1) path traversal allowing attackers to read files outside the intended directory, and (2) open redirect enabling attackers to redirect users to malicious webpages. Both can be exploited remotely without authentication. Successful exploitation could expose sensitive files such as configurations or credentials, or trick operators into phishing attacks.

What this means

What could happen

An attacker could read sensitive files outside the intended directory or trick users into visiting a malicious website, potentially compromising engineering credentials or plant configuration data stored in WebAccess/SCADA.

Who's at risk

Energy sector operators running Advantech WebAccess/SCADA versions 9.0.1 and earlier. This includes SCADA servers and HMI stations used to monitor and control generation, transmission, and distribution equipment.

How it could be exploited

An attacker with network access to the WebAccess/SCADA interface could use path traversal (CWE-23) to read files outside the application directory, or exploit open redirect (CWE-601) to redirect an operator to a malicious site. No authentication is required.

Prerequisites

Network access to WebAccess/SCADA web interface (typically port 80/443)
No valid credentials required

remotely exploitableno authentication requiredlow complexityaffects control system visibility and data confidentiality

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess/SCADA:≤ 9.0.19.0.2 or later

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to WebAccess/SCADA to only authorized engineering workstations and HMI operator stations. Use firewall rules to deny internet-facing access.

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade WebAccess/SCADA to any version after v9.0.1 (recommended: latest available release)

HARDENINGPlace WebAccess/SCADA servers on an isolated control network behind a firewall. Do not allow direct access from the business network or internet.

HARDENINGIf remote access to WebAccess/SCADA is required, implement a VPN with strong authentication and keep the VPN software updated to the latest version.

CVEs (2)

CVE-2021-32956 CVE-2021-32954

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6b496e5a-6fc8-4953-b2d2-ddf71559b079