Advantech WebAccess/SCADA Advisory

May 30, 2023

CVE-2023-2866 – Insufficient Type Distinction vulnerability where .zip files containing webshells can be uploaded on the SCADA server. If an authenticated user is tricked into loading the file via a link, remote code execution on the SCADA server can be achieved.

Mitigations:
Advantech recommends users locate and delete the “WADashboardSetup.msi” file to avoid this issue.

If users wish to remedy this problem in version 8.4.5, they can uninstall “WebAccess Dashboard” from the control panel. Delete all the files:

\Inetpub\wwwroot\broadweb\WADashboard
\WebAccess\Node\WADashboardSetup.msi

Version 9.1.4 has been released to fix this issue

WebAccess/SCADA V9.1 Series:

MD5 of WebAccess/SCADA V9.1.4
MD5: 277e4a8ee4b929d412c696024ea9e9be

Reference

Related Posts

CVE-2023-34362 – MOVEit SQL Injection

Zyxel CVE-2023-28771 – Command Injection

Exploited in the wild: Barracuda Email Security Gateway Appliance (ESG) (CVE-2023-2868)