Advantech WebAccess/SCADA RPC Untrusted Pointer RCE v<=9.1.4
CVE-2023-1437 Published on August 2, 2023

CVE-2023-1437
All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files.

NVD

Vulnerability Analysis

CVE-2023-1437 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Untrusted Pointer Dereference

The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.


Products Associated with CVE-2023-1437

stack.watch emails you whenever new vulnerabilities are published in Advantech Webaccessscada or Advantech Webaccess Scada. Just hit a watch button to start following.

Advantech Webaccessscada
 
Advantech Webaccess Scada
 

Affected Versions

Advantech WebAccess/SCADA:

Exploit Probability

EPSS
0.15%
Percentile
34.78%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.