AdvantechCVEs & Vulnerabilities

378 CVEs affecting Advantech products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

webaccess 115advantech webaccess 111r-seenet 40iview 37webaccess\/scada 29eki-6333ac-2gd firmware 20eki-6333ac-2gd 20eki-6333ac-2g firmware 20
CVE-2020-14501CRITICAL

Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also delete the administrator account.

15 Jul 2020
9.8
CVSS
CVE-2020-14499HIGH

Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.

15 Jul 2020
7.5
CVSS
CVE-2020-14507CRITICAL

Advantech iView, versions 5.6 and prior, is vulnerable to multiple path traversal vulnerabilities that could allow an attacker to create/download arbitrary files, limit system availability, and remotely execute code.

15 Jul 2020
9.8
CVSS
CVE-2020-14505CRITICAL

Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection”) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that creates a command string without any validation. The attacker may then remotely execute code.

15 Jul 2020
9.8
CVSS
CVE-2020-14497CRITICAL

Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.

15 Jul 2020
9.8
CVSS
CVE-2020-12019CRITICAL

WebAccess Node Version 8.4.4 and prior is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code.

15 Jun 2020
9.8
CVSS
CVE-2020-12026HIGH

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control.

8 May 2020
8.8
CVSS
CVE-2020-12022CRITICAL

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An improper validation vulnerability exists that could allow an attacker to inject specially crafted input into memory where it can be executed.

8 May 2020
9.8
CVSS
CVE-2020-12018HIGH

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An out-of-bounds vulnerability exists that may allow access to unauthorized data.

8 May 2020
7.5
CVSS
CVE-2020-12014HIGH

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Input is not properly sanitized and may allow an attacker to inject SQL commands.

8 May 2020
7.5
CVSS
CVE-2020-12010HIGH

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow an authenticated user to use a specially crafted file to delete files outside the application’s control.

8 May 2020
7.1
CVSS
CVE-2020-12006CRITICAL

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control.

8 May 2020
9.8
CVSS
CVE-2020-12002CRITICAL

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple stack-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.

8 May 2020
9.8
CVSS
CVE-2020-10638CRITICAL

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.

8 May 2020
9.8
CVSS
CVE-2020-10631CRITICAL

An attacker could use a specially crafted URL to delete or read files outside the WebAccess/NMS's (versions prior to 3.0.2) control.

9 Apr 2020
9.8
CVSS
CVE-2020-10629HIGH

WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files.

9 Apr 2020
7.5
CVSS
CVE-2020-10625CRITICAL

WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remote user to create a new admin account.

9 Apr 2020
9.8
CVSS
CVE-2020-10623MEDIUM

Multiple vulnerabilities could allow an attacker with low privileges to perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.

9 Apr 2020
6.5
CVSS
CVE-2020-10619CRITICAL

An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions prior to 3.0.2) control.

9 Apr 2020
9.1
CVSS
CVE-2020-10617HIGH

There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.

9 Apr 2020
7.5
CVSS
CVE-2020-10603HIGH

WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize user input and may allow an attacker to inject system commands remotely.

9 Apr 2020
8.8
CVSS
CVE-2020-10621CRITICAL

Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2).

9 Apr 2020
9.8
CVSS
CVE-2019-3942HIGH

Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password.

1 Apr 2020
7.5
CVSS
CVE-2020-10607HIGH

In Advantech WebAccess, Versions 8.4.2 and prior. A stack-based buffer overflow vulnerability caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.

27 Mar 2020
8.8
CVSS
CVE-2019-18257CRITICAL

In Advantech DiagAnywhere Server, Versions 3.07.11 and prior, multiple stack-based buffer overflow vulnerabilities exist in the file transfer service listening on the TCP port. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code with the privileges of the user running DiagAnywhere Server.

18 Dec 2019
9.8
CVSS
CVE-2019-3951CRITICAL

Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages.

13 Dec 2019
9.8
CVSS
CVE-2019-18229MEDIUM

Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information.

1 Nov 2019
6.5
CVSS
CVE-2019-18227HIGH

Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data.

1 Nov 2019
7.5
CVSS
CVE-2019-13551CRITICAL

Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Path traversal vulnerabilities are caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage these vulnerabilities to remotely execute code while posing as an administrator.

1 Nov 2019
9.8
CVSS
CVE-2019-13547CRITICAL

Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. There is an unsecured function that allows anyone who can access the IP address to use the function without authentication.

1 Nov 2019
9.8
CVSS
CVE-2019-16901HIGH

Advantech WebAccess/HMI Designer 2.1.9.31 has Exception Handler Chain corruption starting at Unknown Symbol @ 0x0000000000000000 called from ntdll!RtlRaiseStatus+0x00000000000000b4.

26 Sep 2019
7.5
CVSS
CVE-2019-16900HIGH

Advantech WebAccess/HMI Designer 2.1.9.31 has a User Mode Write AV starting at MSVCR90!memcpy+0x000000000000015c.

26 Sep 2019
7.5
CVSS
CVE-2019-16899HIGH

In Advantech WebAccess/HMI Designer 2.1.9.31, Data from a Faulting Address controls Code Flow starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x0000000000512918.

26 Sep 2019
7.5
CVSS
CVE-2019-13558CRITICAL

In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash.

19 Sep 2019
9.8
CVSS
CVE-2019-13556HIGH

In WebAccess versions 8.4.1 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

19 Sep 2019
8.8
CVSS
CVE-2019-13552HIGH

In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution.

19 Sep 2019
8.8
CVSS
CVE-2019-13550CRITICAL

In WebAccess, versions 8.4.1 and prior, an improper authorization vulnerability may allow an attacker to disclose sensitive information, cause improper control of generation of code, which may allow remote code execution or cause a system crash.

19 Sep 2019
9.8
CVSS
CVE-2019-3975CRITICAL

Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows a remote, unauthenticated attacker to execute arbitrary code via a crafted IOCTL 70603 RPC message.

10 Sep 2019
9.8
CVSS
CVE-2019-10961HIGH

In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, processing specially crafted MCR files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, allowing remote code execution.

2 Aug 2019
8.8
CVSS
CVE-2019-10993CRITICAL

In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code.

29 Jun 2019
9.8
CVSS
CVE-2019-10991CRITICAL

In WebAccess/SCADA, Versions 8.3.5 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

29 Jun 2019
9.8
CVSS
CVE-2019-10989CRITICAL

In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution. Note: A different vulnerability than CVE-2019-10991.

29 Jun 2019
9.8
CVSS
CVE-2019-10987HIGH

In WebAccess/SCADA Versions 8.3.5 and prior, multiple out-of-bounds write vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

29 Jun 2019
8.8
CVSS
CVE-2019-10985CRITICAL

In WebAccess/SCADA, Versions 8.3.5 and prior, a path traversal vulnerability is caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage this vulnerability to delete files while posing as an administrator.

29 Jun 2019
9.1
CVSS
CVE-2019-10983HIGH

In WebAccess/SCADA Versions 8.3.5 and prior, an out-of-bounds read vulnerability is caused by a lack of proper validation of user-supplied data. Exploitation of this vulnerability may allow disclosure of information.

29 Jun 2019
7.5
CVSS
CVE-2019-3954CRITICAL

Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.

19 Jun 2019
9.8
CVSS
CVE-2019-3953CRITICAL

Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call.

19 Jun 2019
9.8
CVSS
CVE-2019-3941HIGH

Advantech WebAccess 8.3.4 allows unauthenticated, remote attackers to delete arbitrary files via IOCTL 10005 RPC.

9 Apr 2019
7.5
CVSS