Advantech WebAccess/SCADA

Published:

18 december 2025 om 12:00:00

Alert date:

18 december 2025 om 18:04:12

Source:

cisa.gov

Multiple critical vulnerabilities discovered in Advantech WebAccess/SCADA version 9.2.1 affecting critical infrastructure sectors worldwide. Five CVEs identified including path traversal, unrestricted file upload, absolute path traversal, and SQL injection vulnerabilities with CVSS scores ranging from 4.3 to 8.8. Successful exploitation could allow authenticated attackers to read or modify remote databases, execute arbitrary code, delete files, or determine file existence. Vendor has released version 9.2.2 as a fix. Product is deployed globally in critical manufacturing, energy, and water/wastewater sectors. No known public exploitation reported at time of advisory publication.

Technical details

Mitigation steps:

Affected products:

Advantech WebAccess/SCADA

Related links:

https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json
https://nvd.nist.gov/vuln/detail/CVE-2025-14850
https://nvd.nist.gov/vuln/detail/CVE-2025-14849
https://nvd.nist.gov/vuln/detail/CVE-2025-14848
https://nvd.nist.gov/vuln/detail/CVE-2025-46268
https://nvd.nist.gov/vuln/detail/CVE-2025-67653
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/434.html
https://cwe.mitre.org/data/definitions/36.html
https://cwe.mitre.org/data/definitions/89.html
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.