Request a Demo
Rewterz
Rewterz Threat Alert – HawkEye Infostealer – Active IOCs
June 30, 2022
Rewterz
Rewterz Threat Alert – Evilnum APT Group – Active IOCs
June 30, 2022

Rewterz Threat Advisory –ICS: Multiple Advantech iView Vulnerabilities

Severity

High

Analysis Summary

CVE-2022-2143 CVSS:9.8
Advantech iView could allow a remote attacker to execute arbitrary commands on the system, caused by a command injection vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.

CVE-2022-2139 CVSS:6.5
Advantech iView could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system.

CVE-2022-2138 CVSS:8.2
Advantech iView is vulnerable to a denial of service, caused by missing authentication for a critical function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to read or modify sensitive data and execute arbitrary code, resulting in a denial-of-service.

CVE-2022-2142 CVSS:8.1
Advantech iView is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to view, add, modify or delete information in the back-end database.

CVE-2022-2137 CVSS:8.8
Advantech iView is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to view, add, modify or delete information in the back-end database.

CVE-2022-2136 CVSS:8.8
Advantech iView is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to view, add, modify or delete information in the back-end database.

CVE-2022-2135 CVSS:4.9
Advantech iView is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to view, add, modify or delete information in the back-end database.

Impact

  • Unauthorized Access
  • Information Theft
  • Denial of Service
  • Data Manipulation

Indicators Of Compromise

CVE

  • CVE-2022-2143
  • CVE-2022-2139
  • CVE-2022-2138
  • CVE-2022-2142
  • CVE-2022-2137
  • CVE-2022-2136
  • CVE-2022-2135

Affected Vendors

  • Advantech

Affected Products

Advantech iView 5.7

Remediation

Upgrade to the latest version of iView, available from the Advantech Web site. 

Advantech Website