Advantech Webaccess
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Advantech Webaccess.
By the Year
In 2026 there have been 0 vulnerabilities in Advantech Webaccess. Last year, in 2025 Webaccess had 13 security vulnerabilities published. Right now, Webaccess is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 13 | 4.30 |
| 2024 | 0 | 0.00 |
| 2023 | 2 | 7.65 |
| 2022 | 0 | 0.00 |
| 2021 | 4 | 8.88 |
| 2020 | 12 | 8.70 |
| 2019 | 19 | 9.23 |
| 2018 | 23 | 7.39 |
It may take a day or so for new Webaccess vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Advantech Webaccess Security Vulnerabilities
Advantech WebAccess/SCADA Abs Dir Traversal
CVE-2025-14848
4.3 - Medium
- December 18, 2025
Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files.
Absolute Path Traversal
Advantech WebAccess VPN 1.1.5 SQLi via NetworksController.addNetworkAction()
CVE-2025-34247
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in NetworksController.addNetworkAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
SQL Injection
Advantech WebAccess/VPN <1.1.5: SQLi via AjaxPrevalidationController
CVE-2025-34246
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxPrevalidationController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
SQL Injection
Advantech WebAccess/VPN SQLi prior to 1.1.5 via AjaxStandaloneVpnClientsController
CVE-2025-34245
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxStandaloneVpnClientsController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
SQL Injection
SQLi in Advantech WebAccess/VPN <1.1.5 via AjaxFwRulesController
CVE-2025-34244
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxDeviceFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
SQL Injection
SQLi in Advantech WebAccess/VPN <1.1.5 via AjaxFwRulesController
CVE-2025-34243
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxNetworkFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
SQL Injection
Advantech WebAccess/VPN <=1.1.4: Auth observer SQLi via AjaxNetworkController
CVE-2025-34242
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
SQL Injection
Advantech WebAccess/VPN <=1.1.4: SQLi in AjaxDeviceController
CVE-2025-34241
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
SQL Injection
SQLi via AuthObs in Advantech WebAcc/VPN <1.1.5 AppMgmtCtrl.appUpgradeAction()
CVE-2025-34240
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
SQL Injection
Advantech WebAccess/VPN <1.1.5: Auth Cmd Injection via AppMgmtCtrl
CVE-2025-34239
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated system administrator to execute arbitrary commands as the web server user (www-data) by supplying a crafted uploaded filename.
Shell injection
Advantech WebAccess/VPN <1.1.5: Authenticated Path Traversal Exploit
CVE-2025-34238
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction() that allows an authenticated network administrator to cause the application to read and return the contents of arbitrary files the web user (www-data) can access.
Directory traversal
Advantech WebAccess/VPN <1.1.5 XSS via addStandaloneVpnClientAction()
CVE-2025-34237
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via StandaloneVpnClientsController.addStandaloneVpnClientAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
XSS
Advantech WebAccess/VPN <1.1.5 XSS via NetworksController.addNetworkAction()
CVE-2025-34236
- November 06, 2025
Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
XSS
Advantech WebAccess 9.1.3 Information Disclosure of Credentials
CVE-2023-4215
7.5 - High
- October 17, 2023
Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.
Debug Messages Revealing Unnecessary Information
Advantech WebAccess 8.4.5 zip upload allows web shell
CVE-2023-2866
7.8 - High
- June 07, 2023
If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.
Insufficient Verification of Data Authenticity
Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may
CVE-2021-33023
9.8 - Critical
- October 18, 2021
Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code.
Memory Corruption
Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may
CVE-2021-38389
9.8 - Critical
- October 18, 2021
Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code.
Memory Corruption
A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may
CVE-2021-38408
9.8 - Critical
- September 09, 2021
A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.
Stack Overflow
Advantech WebAccess 8.4.2 and 8.4.4
CVE-2021-34540
6.1 - Medium
- June 11, 2021
Advantech WebAccess 8.4.2 and 8.4.4 allows XSS via the username column of the bwRoot.asp page of WADashboard.
XSS
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may
CVE-2020-16202
- September 22, 2020
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
Incorrect Permission Assignment for Critical Resource
WebAccess Node Version 8.4.4 and prior is vulnerable to a stack-based buffer overflow, which may
CVE-2020-12019
- June 15, 2020
WebAccess Node Version 8.4.4 and prior is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code.
Stack Overflow
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0
CVE-2020-10638
9.8 - Critical
- May 08, 2020
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.
Memory Corruption
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0
CVE-2020-12026
- May 08, 2020
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the applications control.
Relative Path Traversal
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0
CVE-2020-12022
- May 08, 2020
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An improper validation vulnerability exists that could allow an attacker to inject specially crafted input into memory where it can be executed.
out-of-bounds array index
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0
CVE-2020-12018
- May 08, 2020
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An out-of-bounds vulnerability exists that may allow access to unauthorized data.
Out-of-bounds Read
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0
CVE-2020-12014
- May 08, 2020
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Input is not properly sanitized and may allow an attacker to inject SQL commands.
SQL Injection
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0
CVE-2020-12010
- May 08, 2020
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow an authenticated user to use a specially crafted file to delete files outside the applications control.
Relative Path Traversal
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0
CVE-2020-12006
- May 08, 2020
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the applications control.
Relative Path Traversal
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0
CVE-2020-12002
- May 08, 2020
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple stack-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.
Stack Overflow
Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files
CVE-2019-3942
7.5 - High
- April 01, 2020
Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password.
Insufficiently Protected Credentials
In Advantech WebAccess, Versions 8.4.2 and prior
CVE-2020-10607
8.8 - High
- March 27, 2020
In Advantech WebAccess, Versions 8.4.2 and prior. A stack-based buffer overflow vulnerability caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.
Memory Corruption
Advantech WebAccess before 8.4.3
CVE-2019-3951
9.8 - Critical
- December 12, 2019
Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages.
Memory Corruption
In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may
CVE-2019-13558
- September 18, 2019
In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash.
Code Injection
In WebAccess versions 8.4.1 and prior
CVE-2019-13556
- September 18, 2019
In WebAccess versions 8.4.1 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.
Stack Overflow
In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may
CVE-2019-13552
- September 18, 2019
In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution.
Command Injection
In WebAccess, versions 8.4.1 and prior, an improper authorization vulnerability may
CVE-2019-13550
- September 18, 2019
In WebAccess, versions 8.4.1 and prior, an improper authorization vulnerability may allow an attacker to disclose sensitive information, cause improper control of generation of code, which may allow remote code execution or cause a system crash.
AuthZ
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1
CVE-2019-3975
9.8 - Critical
- September 10, 2019
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows a remote, unauthenticated attacker to execute arbitrary code via a crafted IOCTL 70603 RPC message.
Classic Buffer Overflow
In WebAccess/SCADA
CVE-2019-10991
9.8 - Critical
- June 28, 2019
In WebAccess/SCADA, Versions 8.3.5 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.
Memory Corruption
In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may
CVE-2019-10993
9.8 - Critical
- June 28, 2019
In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code.
Buffer Overflow
In WebAccess/SCADA Versions 8.3.5 and prior
CVE-2019-10989
9.8 - Critical
- June 28, 2019
In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution. Note: A different vulnerability than CVE-2019-10991.
Memory Corruption
In WebAccess/SCADA Versions 8.3.5 and prior
CVE-2019-10987
8.8 - High
- June 28, 2019
In WebAccess/SCADA Versions 8.3.5 and prior, multiple out-of-bounds write vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.
Memory Corruption
In WebAccess/SCADA
CVE-2019-10985
9.1 - Critical
- June 28, 2019
In WebAccess/SCADA, Versions 8.3.5 and prior, a path traversal vulnerability is caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage this vulnerability to delete files while posing as an administrator.
Directory traversal
In WebAccess/SCADA Versions 8.3.5 and prior
CVE-2019-10983
7.5 - High
- June 28, 2019
In WebAccess/SCADA Versions 8.3.5 and prior, an out-of-bounds read vulnerability is caused by a lack of proper validation of user-supplied data. Exploitation of this vulnerability may allow disclosure of information.
Out-of-bounds Read
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0
CVE-2019-3954
9.8 - Critical
- June 19, 2019
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
Memory Corruption
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0
CVE-2019-3953
9.8 - Critical
- June 18, 2019
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call.
Memory Corruption
Advantech WebAccess 8.3.4 is vulnerable to file upload attacks via unauthenticated RPC call
CVE-2019-3940
9.8 - Critical
- April 09, 2019
Advantech WebAccess 8.3.4 is vulnerable to file upload attacks via unauthenticated RPC call. An unauthenticated, remote attacker can use this vulnerability to execute arbitrary code.
Unrestricted File Upload
Advantech WebAccess 8.3.4
CVE-2019-3941
7.5 - High
- April 09, 2019
Advantech WebAccess 8.3.4 allows unauthenticated, remote attackers to delete arbitrary files via IOCTL 10005 RPC.
Missing Authentication for Critical Function
Advantech WebAccess/SCADA, Versions 8.3.5 and prior
CVE-2019-6550
9.8 - Critical
- April 05, 2019
Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution.
Buffer Overflow
Advantech WebAccess/SCADA, Versions 8.3.5 and prior
CVE-2019-6552
9.8 - Critical
- April 05, 2019
Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution.
Command Injection
Advantech WebAccess/SCADA, Versions 8.3.5 and prior
CVE-2019-6554
7.5 - High
- April 05, 2019
Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.
Authorization
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Advantech Webaccess or by Advantech? Click the Watch button to subscribe.
