Lucene search

IcscertCVELIST:CVE-2023-1437

HistoryAug 02, 2023 - 10:30 p.m.

CVE-2023-1437 CVE-2023-1437

2023-08-0222:30:43

CWE-822

icscert

www.cve.org

advantech webaccess/scada

vulnerability

remote access

command execution

remote file system

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

53.7%

JSON

All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "WebAccess/SCADA",
    "vendor": "Advantech",
    "versions": [
      {
        "lessThan": "9.1.4",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-23-166-02

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

53.7%

JSON

Related for CVELIST:CVE-2023-1437