Threat and Patch Advisory

Advantech WebAccess/SCADA Advisory

CVE-2023-2866 – Insufficient Type Distinction vulnerability where .zip files containing webshells can be uploaded on the SCADA server. If an authenticated user is tricked into loading the file via a link, remote code execution on the SCADA server can be achieved.

Mitigations:
Advantech recommends users locate and delete the “WADashboardSetup.msi” file to avoid this issue.

If users wish to remedy this problem in version 8.4.5, they can uninstall “WebAccess Dashboard” from the control panel. Delete all the files:

  1. \Inetpub\wwwroot\broadweb\WADashboard
  2. \WebAccess\Node\WADashboardSetup.msi

Version 9.1.4 has been released to fix this issue

WebAccess/SCADA V9.1 Series:

MD5 of WebAccess/SCADA V9.1.4
MD5: 277e4a8ee4b929d412c696024ea9e9be