Cisco’s Talos threat intelligence and research unit has disclosed the details of several critical vulnerabilities affecting a router monitoring application made by Taiwan-based industrial and IoT solutions provider Advantech.
The affected tool is R-SeeNet, which is designed to help network administrators monitor their Advantech routers.
Talos researchers discovered that R-SeeNet is affected by seven vulnerabilities, a majority of which have been assigned a critical severity rating.
An attacker can exploit the vulnerabilities to execute arbitrary JavaScript code in the targeted user’s browser by getting them to click on a malicious link, execute arbitrary OS commands using specially crafted HTTP requests, or execute PHP commands via malicious HTTP requests. Many of these security holes can be exploited even if the victim is not logged in, Talos noted.
The vulnerabilities have been found in R-SeeNet version 2.4.12 (released in October 2020) and were reported to Advantech in March. The vendor has updated the application since, but it’s unclear if any of the two newer versions patch the vulnerability. Advantech has not released a security advisory for R-SeeNet since October 2020.
Talos gave Advantech more than 90 days to release patches, but said it received no response from the company. Technical details and proof-of-concept (PoC) exploits have been made available for each vulnerability.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also been notified, but it has yet to release an advisory for these vulnerabilities.
Many of the vulnerabilities identified in Advantech products are reported to the vendor through Trend Micro’s Zero Day Initiative (ZDI). In a report for 2020, ZDI said it released nearly 200 advisories for Advantech flaws, more than for any other single vendor.
Related: Code Execution, DoS Flaws Patched in Advantech WebAccess
Related: Critical Code Execution Flaws Patched in Advantech WebAccess
Related: Several Vulnerabilities Patched in Advantech WebAccess
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
