CVE-2020-10625 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2020-10625?

CVE-2020-10625 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to create new administrator accounts in Advantech WebAccess/NMS network management software. Systems running versions prior to 3.0.2 are affected, potentially giving attackers full control over the network management platform.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to create new administrator accounts in Advantech WebAccess/NMS network management software. Systems running versions prior to 3.0.2 are affected, potentially giving attackers full control over the network management platform.

💻 Affected Systems

Products:

Advantech WebAccess/NMS

Versions: All versions prior to 3.0.2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: This affects the default installation configuration. No special settings are required to be vulnerable.

📦 What is this software?

Webaccess\/nms by Advantech

View all CVEs affecting Webaccess\/nms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of network management system, enabling attackers to reconfigure network devices, deploy malware across managed systems, and maintain persistent access to the entire network infrastructure.

🟠

Likely Case

Attackers create admin accounts to gain unauthorized access, potentially leading to network reconnaissance, data exfiltration, or deployment of ransomware across managed devices.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the WebAccess/NMS system itself, though attackers could still compromise network management functions.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation means any internet-exposed instance is immediately vulnerable to complete takeover.

🏢 Internal Only: HIGH - Even internally, any attacker on the network can exploit this without credentials to gain administrative privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is simple to exploit - attackers can send crafted HTTP requests to create admin accounts without any authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.2

Vendor Advisory: https://www.advantech.com/support/details/firmware?id=1KXKJ8K8K8K8K8K8

Restart Required: Yes

Instructions:

1. Download WebAccess/NMS version 3.0.2 from Advantech support portal. 2. Backup current configuration. 3. Run the installer to upgrade to version 3.0.2. 4. Restart the WebAccess/NMS service.

🔧 Temporary Workarounds

Network Access Restriction

windows

Restrict network access to WebAccess/NMS to only trusted IP addresses using firewall rules.

Windows Firewall: New-NetFirewallRule -DisplayName "Block WebAccess External" -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress NotIn 192.168.1.0/24,10.0.0.0/8 -Action Block

Web Server IP Restriction

windows

Configure IIS or web server to only accept connections from authorized IP ranges.

IIS: Use IP Address and Domain Restrictions module to allow only specific IP ranges

🧯 If You Can't Patch

Immediately isolate WebAccess/NMS system from internet and restrict internal network access using firewall rules
Implement strict monitoring for unauthorized admin account creation and review all existing admin accounts

🔍 How to Verify

Check if Vulnerable:

Check WebAccess/NMS version in the web interface or via the installed program version. If version is below 3.0.2, the system is vulnerable.

Check Version:

Check via web interface at http://[server]:80 or via Windows Programs and Features

Verify Fix Applied:

After patching, verify version shows 3.0.2 and attempt to access the admin account creation endpoint (if known) to confirm it requires authentication.

📡 Detection & Monitoring

Log Indicators:

Unusual admin account creation events
Failed authentication attempts followed by successful admin creation
HTTP POST requests to user creation endpoints from unauthorized IPs

Network Indicators:

HTTP POST requests to /api/user/create or similar endpoints without authentication headers
Traffic to WebAccess/NMS from unexpected source IPs

SIEM Query:

source="webaccess_logs" AND (event_type="user_creation" OR uri_path="/api/user*") AND NOT user="authenticated_admin"

📊 Metadata

CVE ID: CVE-2020-10625

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: April 9, 2020

Last Updated: November 21, 2024

🔗 References

https://www.us-cert.gov/ics/advisories/icsa-20-098-01 Third Party Advisory,US Government Resource
https://www.us-cert.gov/ics/advisories/icsa-20-098-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10625, you might also want to check these: