CVE-2020-12006: Advantech WebAccess/SCADA DrawSrv IOCTL 0x00002711 Command Injection Remote Code Execution Vulnerability
First published: Fri May 08 2020(Updated: )
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Advantech WebAccess/SCADA | ||
| Advantech WebAccess | <=8.4.4 | |
| Advantech WebAccess | =9.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this security flaw?
The vulnerability ID of this security flaw is CVE-2020-12006.
What is the severity level of CVE-2020-12006?
CVE-2020-12006 has a severity level of 9.8 (Critical).
What is the affected software in this vulnerability?
The affected software is Advantech WebAccess/SCADA versions 8.4.4 and 9.0.0.
What is the specific flaw in Advantech WebAccess/SCADA?
The specific flaw is in the implementation of IOCTL 0x00002711 in ViewSrv.dll.
Is authentication required to exploit CVE-2020-12006?
No, authentication is not required to exploit CVE-2020-12006.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/author
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-20-589
- alias/ZDI-CAN-9995
- alias/CVE-2020-12006
- agent/software-canonical-lookup
- alias/ZDI-20-595
- alias/ZDI-CAN-9905
- alias/ZDI-20-605
- alias/ZDI-CAN-9901
- vendor/advantech
- canonical/advantech webaccess
- version/advantech webaccess/8.4.4
- version/advantech webaccess/9.0.0
- canonical/advantech webaccess/scada