WebAccess is a browser-based software package for human-machine interfaces (HMI) and SCADA systems developed by Advantech.
The vulnerabilities affect WebAccess/SCADA Versions 8.3.5 and prior.
The software is widely adopted in many sectors worldwide, such as critical manufacturing, energy, and water and wastewater.
The vulnerabilities were reported to NCCIC by researchers Mat Powell and Natnael Samson (@NattiSamson) through Trend Micro’s Zero Day Initiative (ZDI).
The WebAccess is affected by three types of vulnerabilities, including two critical remote code execution flaws and one “high severity” denial-of-service (DoS) issue.
Below the flaws reported by the US ICS-CERT:
The vulnerabilities were reported to the vendor in January that addressed them with the release of version 8.4.0 of WebAccess.