CVE-2023-2866

Summary

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.

Affected Software

VendorProductVersion RangeStatus
AdvantechWebAccess/SCADA8.4.5affected

Weaknesses

  • CWE-351: CWE-351 Insufficient Type Distinction

Workarounds

Advantech recommends users locate and delete the “WADashboardSetup.msi” file to avoid this issue.

If users wish to remedy this problem in version 8.4.5, they can uninstall "WebAccess Dashboard" from the control panel. Delete all the files:

\Inetpub\wwwroot\broadweb\WADashboard

\WebAccess\Node\WADashboardSetup.msi

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References