CVE-2023-32540

Vulnerability

In Advantech WebAccess/SCADA versions 9.1.3 and prior, an arbitrary file overwrite vulnerability exists (CWE-94: Improper Control of Generation of Code). The flaw allows an authenticated user to overwrite any file in the operating system, including system files, inject code into an XLS file, and modify file extensions, potentially leading to arbitrary code execution. This vulnerability is assigned CVE-2023-32540 [1].

Exploitation

An attacker must be authenticated (manager-level user). The attack is remotely exploitable with low complexity. By leveraging the file overwrite capability, the attacker can write arbitrary content to any location on the filesystem, including injecting malicious code into an XLS file. The exact sequence of steps is not detailed in the available references, but the ability to choose the target file and content gives the attacker significant control over the system [1].

Impact

Successful exploitation allows the attacker to overwrite arbitrary files, including critical system files, and inject arbitrary code into XLS files. This can lead to remote code execution (RCE) with the privileges of the WebAccess process. The CVSS v3 base score is 7.2, with vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability [1].

Mitigation

Advantech has not released a patched version as of the CISA advisory publication date (2023-06-05). Users are advised to apply the vendor's security update when available and to follow general security best practices, such as restricting network access to the affected system and limiting user privileges. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of this writing [1].