Advantech WebAccess/NMS (ICSA-20-098-01) – Product Used in the Water and Wastewater and Energy Sectors

CISA has published an advisory on unrestricted upload of file with dangerous type, SQL injection, relative path traversal, missing authentication for critical function, improper restriction of XML external entity reference, and OS command injection vulnerabilities in Advantech WebAccess/NMS. Versions prior to 3.0.2 are affected. Successful exploitation of these vulnerabilities may allow an attacker to gain remote code execution, upload files, delete files, cause a denial-of-service condition, and create an admin account for the application. Advantech recommends updating to Version 3.0.2. CISA also recommends a series of measures to mitigate the vulnerabilities. Read the advisory at CISA.