The US DHS Industrial Control Systems CERT (ICS-CERT) has warned organizations using Advantech’s ICS products to install an update that kills a remotely exploitable flaw in its WebAccess software. WebAccess is the Taiwanese company’s browser-based SCADA software for monitoring remote field devices. It’s known among security researchers as a type of SCADA Human Machine Interface (HMI) system and has been the focus of security research in part because of its use of Microsoft’s implementation of distributed computing protocol, Remote Procedure Call (RPC). A researcher at Trend Micro discovered multiple vulnerabilities in WebAccess, the worst of which is a stack-based bugger overflow, tracked as CVE-2018-14816, that has a CVSS version 3 score of 9.8 out of a possible 10.
Read full news article on CSO