Advantech WebAccess SCADA

Monitor4.3ICS-CERT ICSA-21-285-01Oct 12, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Advantech WebAccess/SCADA versions 9.0.3 and earlier contain an information disclosure vulnerability (CWE-862) that allows authenticated users to access project names and file paths on the server. This could reveal sensitive information about the system configuration and operational topology. CVSS v3.0 score is 4.3 (medium).

What this means

What could happen

An attacker with valid credentials could view SCADA project names and file paths on the WebAccess server, potentially revealing system topology and sensitive operational details.

Who's at risk

Energy sector operators using Advantech WebAccess/SCADA, particularly those running version 9.0.3 or earlier, should assess this vulnerability. This affects SCADA servers that manage supervisory control and monitoring functions in electric generation and transmission facilities.

How it could be exploited

An attacker on your network with valid WebAccess user credentials can send requests to the server to enumerate project names and file paths. No special tools or complex steps are needed—this is a basic information disclosure vulnerability requiring only network access and valid login credentials.

Prerequisites

Network access to the WebAccess/SCADA server
Valid WebAccess user account credentials
WebAccess/SCADA version 9.0.3 or earlier

remotely exploitablerequires valid credentialslow complexityinformation disclosure onlyaffects system topology visibility

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess/SCADA:≤ 9.0.39.1.1

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict WebAccess/SCADA network access using firewall rules; do not expose the server to the Internet or untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade WebAccess/SCADA to version 9.1.1 or later

HARDENINGReview and audit user accounts with WebAccess/SCADA access; revoke unused or excessive credentials

Long-term hardening

0/2

HARDENINGIsolate WebAccess/SCADA systems from the business network and place them behind firewalls

HARDENINGIf remote access to WebAccess/SCADA is required, enforce VPN with current security updates and strong access controls

CVEs (1)

CVE-2021-38431

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6f478552-3e08-4593-ad46-ae2e770d8e9e