CVE-2020-12014

Name of the Vulnerable Software and Affected Versions Advantech WebAccess Node versions 8.4.4 and prior Advantech WebAccess Node version 9.0.0

Description The issue arises from improper input sanitization, which may allow an attacker to inject SQL commands. This can lead to SQL injection and information disclosure vulnerabilities. Specifically, certain IOCTL commands, such as IOCTL 0x00013c74, IOCTL 0x00013c75, IOCTL 0x00013c71, IOCTL 0x00013c76, and IOCTL 0x00013c77, are affected.

Recommendations For Advantech WebAccess Node versions 8.4.4 and prior, update to a version later than 8.4.4 to resolve the issue. For Advantech WebAccess Node version 9.0.0, consider disabling the BwWebSvc service until a patch is available. As a temporary workaround, restrict access to the affected IOCTL commands to minimize the risk of exploitation.