CVE-2019-13551
📋 TL;DR
This critical path traversal vulnerability in Advantech WISE-PaaS/RMM allows attackers to bypass directory restrictions and access arbitrary files or execute code remotely by manipulating file paths. Systems running WISE-PaaS/RMM version 3.3.29 or earlier are affected, particularly those exposed to untrusted networks.
💻 Affected Systems
- Advantech WISE-PaaS/RMM
📦 What is this software?
Wise Paas\/rmm by Advantech
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with administrator privileges leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Unauthorized file access, configuration file manipulation, and potential privilege escalation leading to system control.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and input validation controls in place.
🎯 Exploit Status
Multiple ZDI advisories confirm weaponization; exploitation requires minimal technical skill due to lack of authentication requirements.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.3.30 or later
Vendor Advisory: https://www.advantech.com/support
Restart Required: Yes
Instructions:
1. Download latest version from Advantech support portal. 2. Backup current configuration. 3. Install update following vendor documentation. 4. Restart services. 5. Verify patch application.
🔧 Temporary Workarounds
Network Segmentation
allIsolate WISE-PaaS/RMM systems from untrusted networks and internet exposure
Input Validation Rules
allImplement web application firewall rules to block path traversal patterns
WAF rule: deny requests containing '../' or similar traversal sequences
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted IPs only
- Deploy application-level monitoring for path traversal attempts and file access anomalies
🔍 How to Verify
Check if Vulnerable:
Check WISE-PaaS/RMM version via admin interface or configuration files; versions ≤3.3.29 are vulnerableCheck Version:
Check web interface or configuration files for version informationVerify Fix Applied:
Verify version is ≥3.3.30 and test path traversal attempts return proper error responses📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences
- Unauthorized file access attempts
- Unusual file operations in system logs
Network Indicators:
- HTTP requests with encoded traversal patterns (%2e%2e%2f)
- Multiple failed file access attempts from single source
SIEM Query:
source="web_logs" AND (uri="*../*" OR uri="*..%2f*" OR uri="*%2e%2e%2f*")🔗 References
- https://www.us-cert.gov/ics/advisories/icsa-19-304-01
- https://www.zerodayinitiative.com/advisories/ZDI-19-935/
- https://www.zerodayinitiative.com/advisories/ZDI-19-941/
- https://www.zerodayinitiative.com/advisories/ZDI-19-950/
- https://www.zerodayinitiative.com/advisories/ZDI-19-958/
- https://www.us-cert.gov/ics/advisories/icsa-19-304-01
- https://www.zerodayinitiative.com/advisories/ZDI-19-935/
- https://www.zerodayinitiative.com/advisories/ZDI-19-941/
- https://www.zerodayinitiative.com/advisories/ZDI-19-950/
- https://www.zerodayinitiative.com/advisories/ZDI-19-958/
