The recent discovery of a SQL injection vulnerability in Advantech’s WebAccess/SCADA software has emphasized the critical need for organizations to take immediate action in mitigating this cyber threat. The vulnerability is characterized by a CVSS v4 score of 7.1, indicating that it is exploitable remotely, with low attack complexity, and public exploits are readily available. This substantial risk exposes an authenticated attacker to the potential to read or modify a remote database. The affected versions of the browser-based SCADA software are identified as WebAccess/SCADA: Version 9.1.5U.
The SQL injection vulnerability in Advantech’s WebAccess/SCADA software allows an authenticated attacker to remotely inject SQL code into the database, facilitating unauthorized access or manipulation of critical data. The severity of the vulnerability is evident with the assignment of CVE-2024-2453, with a calculated base score of 7.1 in CVSS v4. The critical infrastructure sectors impacted by this vulnerability include critical manufacturing, energy, water, and wastewater systems in East Asia, Europe, and the United States, with Advantech’s headquarters located in Taiwan. The discovery of a public Proof of Concept (PoC) authored by Prześlij Komentarz further emphasizes the urgency for organizations to address this threat promptly.
Mitigating measures recommended by Advantech include updating to WebAccess/SCADA version 9.1.6 or higher. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) advises users to implement defensive measures to minimize the risk of exploitation. This includes minimizing network exposure, employing firewalls to isolate control system networks, and utilizing secure remote access methods such as Virtual Private Networks (VPNs). Organizations are encouraged to perform proper impact analysis and risk assessment prior to deploying these defensive measures. CISA further encourages the implementation of recommended cybersecurity strategies for proactive defense of industrial control system (ICS) assets.
