CVE-2024-50376
📋 TL;DR
This cross-site scripting (XSS) vulnerability affects Advantech industrial wireless access points. Attackers can exploit it by creating a malicious Wi-Fi network with a specially crafted SSID, which then executes arbitrary JavaScript in the device's web interface when administrators view network information. This affects specific Advantech EKI series devices running vulnerable firmware versions.
💻 Affected Systems
- Advantech EKI-6333AC-2G
- Advantech EKI-6333AC-2GD
- Advantech EKI-6333AC-1GPO
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain administrative access to the device, modify network configurations, intercept traffic, or use the device as a pivot point into the industrial network.
Likely Case
Attackers could steal administrator credentials via session hijacking, modify device settings, or deploy persistent backdoors in the web interface.
If Mitigated
With proper network segmentation and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires physical proximity to deploy a rogue access point, but the actual XSS attack is straightforward once the malicious SSID is broadcast.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EKI-6333AC-2G > 1.6.3, EKI-6333AC-2GD > v1.6.3, EKI-6333AC-1GPO > v1.2.1
Vendor Advisory: https://www.advantech.com/support
Restart Required: Yes
Instructions:
1. Download latest firmware from Advantech support portal. 2. Backup device configuration. 3. Upload firmware via web interface. 4. Reboot device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Disable Wi-Fi scanning
allPrevent device from scanning for wireless networks if not required
Network segmentation
allIsolate industrial devices from corporate networks using VLANs or firewalls
🧯 If You Can't Patch
- Physically secure devices to prevent unauthorized access for rogue AP deployment
- Implement strict network monitoring for unusual Wi-Fi scanning or web interface access patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under System > Firmware InformationCheck Version:
No CLI command - check via web interface at System > Firmware InformationVerify Fix Applied:
Confirm firmware version is above vulnerable versions listed in affected_systems📡 Detection & Monitoring
Log Indicators:
- Unusual SSID names in wireless scan logs
- Multiple failed login attempts from unexpected IPs
- Configuration changes from unknown sources
Network Indicators:
- Unexpected Wi-Fi beacon frames near industrial equipment
- HTTP requests with JavaScript payloads to device web interface
SIEM Query:
source="advantech" AND (event="wireless_scan" AND ssid CONTAINS "<script>") OR (event="config_change" AND user="unknown")