CVE-2020-13554
📋 TL;DR
This vulnerability allows local attackers to escalate privileges to NT SYSTEM level by exploiting insecure file permissions in Advantech WebAccess/SCADA installation. Attackers can replace binaries or modules in the webvrpcs Run Key folder to execute arbitrary code with highest privileges. Organizations running vulnerable versions of Advantech WebAccess/SCADA are affected.
💻 Affected Systems
- Advantech WebAccess/SCADA
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attacker gains SYSTEM privileges, enabling installation of persistent backdoors, credential theft, lateral movement across network, and disruption of industrial control operations.
Likely Case
Local privilege escalation leading to full control of affected SCADA/WebAccess server, potentially allowing attackers to manipulate industrial processes or steal sensitive operational data.
If Mitigated
Limited impact if proper access controls, network segmentation, and least privilege principles are implemented, restricting attacker's ability to reach vulnerable systems.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability is well-documented in public advisories with technical details that could facilitate weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.2 or later
Vendor Advisory: https://www.advantech.com/support/details/firmware?id=1KXK3C3B6S
Restart Required: Yes
Instructions:
1. Download latest version from Advantech support portal. 2. Backup current installation. 3. Run installer with administrative privileges. 4. Restart system after installation completes.
🔧 Temporary Workarounds
Restrict File Permissions
windowsModify NTFS permissions on WebAccess installation folder to restrict write access to SYSTEM and administrators only.
icacls "C:\Program Files (x86)\Advantech\WebAccess" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)W"
Remove Unnecessary Local Accounts
windowsRemove or restrict local user accounts that don't require access to WebAccess systems.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WebAccess systems from general user networks
- Apply principle of least privilege to all user accounts and service accounts accessing the system
🔍 How to Verify
Check if Vulnerable:
Check WebAccess version via Control Panel > Programs and Features, or examine file permissions on C:\Program Files (x86)\Advantech\WebAccess\webvrpcs folder for excessive write permissions.Check Version:
wmic product where "name like '%WebAccess%'" get versionVerify Fix Applied:
Verify WebAccess version is 9.0.2 or later and confirm file permissions on installation folder restrict write access to SYSTEM and administrators only.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4663 (File system access) showing unauthorized write attempts to WebAccess installation folder
- Application logs showing unexpected WebAccess service restarts or binary modifications
Network Indicators:
- Unusual outbound connections from WebAccess server to external IPs
- Anomalous authentication patterns to WebAccess interfaces
SIEM Query:
source="windows_security" EventID=4663 ObjectName="*WebAccess*" AccessMask="0x2" | stats count by AccountName, ObjectName