Advantech WebAccess SCADA

Act Now9.8ICS-CERT ICSA-21-217-04Aug 5, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Advantech WebAccess/SCADA contains multiple input validation vulnerabilities (CWE-79 cross-site scripting, CWE-23 path traversal, CWE-121 buffer overflow) that allow unauthenticated remote attackers to hijack user sessions via cookie theft, access arbitrary files and directories on the server, and execute arbitrary code with server privileges. Affected versions are prior to 9.0.1 and prior to 8.4.5; no patch is currently available from the vendor.

What this means

What could happen

An attacker could steal session credentials from SCADA operators, gain unauthorized access to system files, and execute arbitrary code on the WebAccess server, potentially allowing them to modify process setpoints, disable alarms, or halt energy generation and distribution operations.

Who's at risk

Energy utilities operating Advantech WebAccess/SCADA systems for generation, transmission, and distribution control. This affects any operator using versions prior to 9.0.1 (version 8.x and earlier releases).

How it could be exploited

An attacker on the network (or internet, if WebAccess is internet-exposed) sends a crafted request containing path traversal and code injection payloads to the WebAccess web interface. The server fails to validate input, allowing the attacker to read files, inject malicious scripts into session cookies, or execute code with the privileges of the WebAccess process.

Prerequisites

Network access to the WebAccess web interface (typically port 80 or 443)
No authentication required for initial exploitation

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch currently availablecritical severity

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

WebAccess/SCADA:< 9.0.1No fix yet

WebAccess/SCADA:< 8.4.5No fix yet

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to restrict access to WebAccess to authorized engineering workstations and control networks only; block internet-facing access

WORKAROUNDDeploy a web application firewall (WAF) with rules to block path traversal patterns (../, ..\ sequences) and script injection attempts

HARDENINGMonitor for unusual file access patterns and failed authentication attempts on the WebAccess server

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXEvaluate upgrade path to WebAccess/SCADA 9.0.1 or newer once available, or plan migration to a patched alternative SCADA platform

CVEs (3)

CVE-2021-22676 CVE-2021-22674 CVE-2021-32943

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ea1ce99d-a37c-4985-a0d7-7493adbedffa