CVE-2023-32628

Vulnerability

In Advantech WebAccess/SCADA versions 9.1.3 and prior, there is an unrestricted file upload vulnerability (CWE-434) that allows an authenticated manager user to upload a certificate file and change its extension to .asp during the upload process. This effectively bypasses intended file type restrictions, enabling the attacker to place an ASP script on the web server [1].

Exploitation

To exploit this vulnerability, an attacker must have valid credentials with manager-level privileges on the Advantech WebAccess/SCADA system. The attacker uploads a specially crafted certificate file but modifies its extension to .asp when using the upload functionality. The web server then treats the uploaded file as an executable ASP script [1].

Impact

Successful exploitation allows the attacker to achieve remote code execution on the web server with the privileges of the web application. This can lead to full compromise of the affected system, including arbitrary file read/write, installation of malware, or further lateral movement. The CVSS v3 base score is 7.2, reflecting high impact on confidentiality, integrity, and availability [1].

Mitigation

As of the advisory publication date (June 5, 2023), Advantech has not released a patched version for WebAccess/SCADA. Users are advised to restrict network access to the affected system, apply the principle of least privilege for user accounts, and monitor for any vendor updates addressing this vulnerability. The CISA advisory recommends following the vendor's security guidance and implementing defensive measures [1].