CVE-2023-2866
7.3
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Advantech | WebAccess/SCADA | 8.4.5 | affected |
Weaknesses
- CWE-351: CWE-351 Insufficient Type Distinction
Workarounds
Advantech recommends users locate and delete the “WADashboardSetup.msi” file to avoid this issue.
If users wish to remedy this problem in version 8.4.5, they can uninstall "WebAccess Dashboard" from the control panel. Delete all the files:
\Inetpub\wwwroot\broadweb\WADashboard
\WebAccess\Node\WADashboardSetup.msi
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.