Advantech WebAccess/SCADA

Plan Patch7.3ICS-CERT ICSA-23-150-01May 25, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Advantech WebAccess/SCADA versions 8.4.5 contain a privilege escalation or improper access control vulnerability in the WebAccess Dashboard component (WADashboardSetup.msi and associated files). Successful exploitation allows an attacker with local access to gain full control over the SCADA server. The vulnerability is not remotely exploitable. Advantech has released version 9.1.4 which removes the vulnerable files. For version 8.4.5, the workaround is to uninstall the WebAccess Dashboard component and delete the associated files.

What this means

What could happen

An attacker with local access to the WebAccess/SCADA server could gain full control over the SCADA system and alter industrial processes, stop operations, or manipulate critical control setpoints.

Who's at risk

Energy sector operators running Advantech WebAccess/SCADA version 8.4.5 should care about this issue. This applies to SCADA servers that manage generation, transmission, or distribution control systems, as well as any smaller utilities or industrial facilities using this platform for process supervision and data acquisition.

How it could be exploited

An attacker must first gain local access to the WebAccess/SCADA server (e.g., via social engineering, malware delivery, or physical access). The vulnerability resides in the WADashboard component (WADashboardSetup.msi), which is a local privilege escalation or improper access control issue. Once the attacker exploits this, they gain full system control.

Prerequisites

Local access to the WebAccess/SCADA server
WebAccess/SCADA version 8.4.5 with WADashboard component installed
Ability to interact with the vulnerable component (user-level or low-privilege account sufficient)

Full system compromise possibleLocal access required but low complexityAffects critical SCADA operationsNo patch available for version 8.4.5WebAccess Dashboard included by default

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess/SCADA: 8.4.58.4.59.1.4

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDLocate and delete the file WADashboardSetup.msi from the server

WORKAROUNDUninstall the WebAccess Dashboard component from Control Panel and delete the directory \Inetpub\wwwroot\broadweb\WADashboard

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade WebAccess/SCADA to version 9.1.4 or later

Long-term hardening

0/2

HARDENINGImplement local access controls and endpoint protection to prevent unauthorized local access to SCADA servers

HARDENINGMonitor for and block suspicious email attachments and web links that could deliver malware to user workstations with access to the SCADA server

CVEs (1)

CVE-2023-2866

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/465add38-0e12-415e-ac46-7b0096298a75