Login Sign Up

CVE-2023-2866

7.3 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Advantech WebAccess allows authenticated attackers to upload malicious .zip files that can deploy web shells, potentially granting full control of SCADA servers. It affects Advantech WebAccess version 8.4.5 users who process .zip files through the application. The attack requires tricking an authenticated user into loading the malicious file.

💻 Affected Systems

Products:
  • Advantech WebAccess
Versions: 8.4.5
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user interaction; vulnerability is in the .zip file processing functionality

📦 What is this software?

Webaccess by Advantech

View all CVEs affecting Webaccess →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of SCADA server leading to operational disruption, data theft, or manipulation of industrial processes

🟠

Likely Case

Unauthorized access to SCADA system with ability to execute arbitrary commands and potentially pivot to other systems

🟢

If Mitigated

Limited impact if proper file upload restrictions and user awareness training are implemented

🌐 Internet-Facing: HIGH - WebAccess is typically internet-facing for remote access to SCADA systems
🏢 Internal Only: MEDIUM - Still significant risk from internal threats or compromised accounts

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires social engineering to trick authenticated user; once file is loaded, exploitation is straightforward

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4.6 or later

Vendor Advisory: https://www.advantech.com/support

Restart Required: Yes

Instructions:

1. Download patch from Advantech support portal. 2. Backup current installation. 3. Apply patch following vendor instructions. 4. Restart WebAccess services. 5. Verify version is 8.4.6 or higher.

🔧 Temporary Workarounds

Restrict .zip file uploads

windows

Block .zip file uploads through WebAccess interface

Configure WebAccess file upload restrictions to reject .zip extensions

Implement user awareness training

all

Train users to never open untrusted .zip files in WebAccess

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WebAccess from critical SCADA systems
  • Deploy application whitelisting to prevent execution of unauthorized web shells

🔍 How to Verify

Check if Vulnerable:

Check WebAccess version in administration panel; if version is exactly 8.4.5, system is vulnerable

Check Version:

Check version in WebAccess/SCADA main interface or administration console

Verify Fix Applied:

Verify version shows 8.4.6 or higher in WebAccess administration panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual .zip file uploads
  • Web shell deployment patterns in web server logs
  • Unauthorized file writes to web directories

Network Indicators:

  • Unexpected outbound connections from WebAccess server
  • Suspicious HTTP requests to web shell paths

SIEM Query:

source="webaccess_logs" AND (file_extension=".zip" OR path="*.php" OR path="*.asp" OR path="*.jsp")

📊 Metadata

CVE ID: CVE-2023-2866
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-351
Published: June 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2866, you might also want to check these:

CVE-2025-30510 9.8

This vulnerability allows attackers to upload arbitrary files instead of legitimate plant images in ...

Same vulnerability type (CWE-351)
CVE-2025-65960 6.6

This vulnerability allows authenticated back-end users in Contao CMS to execute arbitrary PHP functi...

Same vulnerability type (CWE-351)
CVE-2025-47939 5.4

This vulnerability in TYPO3's file management module allows backend users to upload potentially harm...

Same vulnerability type (CWE-351)