CVE-2020-12026

Name of the Vulnerable Software and Affected Versions Advantech WebAccess Node versions 8.4.4 and prior Advantech WebAccess Node version 9.0.0

Description Multiple relative path traversal vulnerabilities exist, allowing a low-privilege user to overwrite files outside the application's control. The issue affects the WebAccess/SCADA ViewSrv and DrawSrv, where an IOCTL 0x0000277d directory traversal remote code execution vulnerability is present.

Recommendations For Advantech WebAccess Node versions 8.4.4 and prior, consider restricting access to sensitive files and directories to minimize the risk of exploitation. For Advantech WebAccess Node version 9.0.0, restrict access to the vulnerable IOCTL 0x0000277d to prevent remote code execution. As a temporary workaround, consider disabling the DrawSrv and ViewSrv services until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.