Multiple Critical Vulnerabilities in Advantech WebAccess/SCADA
Advantech WebAccess/SCADA has been found to contain several critical vulnerabilities, including an unrestricted file upload flaw (CVE-2025-14849) and a directory traversal vulnerability (CVE-2025-14850). The unrestricted file upload issue could allow a remote attacker to execute arbitrary code on affected systems, while the directory traversal flaw may enable attackers to delete arbitrary files. Both vulnerabilities are remotely exploitable and have been assigned high CVSS scores, indicating significant risk to organizations using this software in critical infrastructure sectors.
CISA has issued an advisory confirming that these vulnerabilities affect Advantech WebAccess/SCADA version 9.2.1, and recommends updating to version 9.2.2 to mitigate the risks. The vulnerabilities impact organizations in sectors such as critical manufacturing, energy, and water and wastewater, with deployments worldwide. Exploitation of these flaws could allow authenticated attackers to read or modify remote databases, potentially leading to severe operational disruptions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE records published for Advantech file upload and path traversal flaws
Public CVE entries were published for CVE-2025-14849, an unrestricted file upload flaw, and CVE-2025-14850, a directory traversal flaw in Advantech WebAccess/SCADA. The records described remote exploitation risk and linked the issues to CISA/ICS-CERT tracking.
CISA publishes advisory on Advantech WebAccess/SCADA vulnerabilities
CISA published advisory ICSA-25-352-06 warning that multiple critical vulnerabilities affect Advantech WebAccess/SCADA 9.2.1 used across sectors including manufacturing, energy, and water. CISA said no public exploitation had been reported at the time of the initial advisory and urged immediate mitigations.
Advantech releases WebAccess/SCADA 9.2.2 to fix multiple flaws
Advantech released version 9.2.2 of WebAccess/SCADA to address multiple critical vulnerabilities affecting version 9.2.1. The fixes cover issues that could let authenticated attackers manipulate files, execute code, or access remote databases.
Researcher reports Advantech WebAccess/SCADA vulnerabilities to CISA
Alex Williams of Pellera Technologies reported multiple vulnerabilities in Advantech WebAccess/SCADA to CISA, including directory traversal, unrestricted file upload, absolute path traversal, and SQL injection issues. The exact reporting date is not stated in the references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2025-14849 - Advantech WebAccess/SCADA Unrestricted Upload of File with Dangerous Type
cvefeed.io
Open sourceCVE-2025-14850 - Advantech WebAccess/SCADA Improper Limitation of a Pathname to a Restricted Directory
cvefeed.io
Open sourceAdvantech WebAccess/SCADA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Industrial Control System Vulnerabilities Disclosed by CISA
CISA released a coordinated set of advisories detailing newly discovered vulnerabilities affecting a range of industrial control system (ICS) products from vendors including Advantech, Johnson Controls, Mitsubishi Electric, and SolisCloud. The vulnerabilities include a critical SQL injection flaw in Advantech iView (CVE-2025-13373), improper certificate expiration validation in Johnson Controls iSTAR (CVE-2025-61736), cleartext storage of sensitive information in Mitsubishi Electric GX Works2 (CVE-2025-3784), a forced browsing vulnerability in Johnson Controls OpenBlue Mobile Web Application (CVE-2025-26381), and an authorization bypass in SolisCloud Monitoring Platform (CVE-2025-13932). These flaws could allow attackers to access or modify sensitive data, disrupt communications, or gain unauthorized access to critical infrastructure systems. CISA's advisories provide technical details, affected product versions, and recommended mitigations, such as software updates and network segmentation, to reduce the risk of exploitation. The vulnerabilities impact products deployed globally across sectors such as critical manufacturing, energy, commercial facilities, and government services. Some advisories note that fixes are available, while others indicate that patches are still under development or that vendors have not responded to coordination efforts. CISA urges organizations using these products to review the advisories and implement recommended mitigations to protect against potential attacks targeting these ICS environments.
Mar 21, 2026
Multiple ICS Vulnerabilities Disclosed in November 2025 CISA Advisories
CISA published four new advisories detailing critical vulnerabilities affecting a range of industrial control system (ICS) products from Advantech, Ubia, and ABB. The vulnerabilities include improper input neutralization, path traversal, use of hard-coded credentials, insufficiently protected credentials, and improper validation of input types. Exploitation of these flaws could allow attackers to achieve remote code execution, denial-of-service, unauthorized access to camera feeds, or full remote control of affected devices. The impacted products are Advantech DeviceOn/iEdge (v2.0.2 and prior), Ubia Ubox (v1.1.124), and multiple ABB FLXeon controller models (various versions up to 9.3.5). CISA recommends immediate review of the technical details and implementation of mitigations provided in the advisories. Notably, the Ubia Ubox vulnerability remains uncoordinated with the vendor, increasing risk for users. Organizations using these ICS products should prioritize patching, restrict network exposure, and follow CISA's defensive measures to minimize exploitation risk. The advisories underscore the ongoing threat to critical infrastructure posed by vulnerabilities in widely deployed ICS equipment.
Mar 21, 2026
CISA Adds OpenPLC ScadaBR Vulnerabilities to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities affecting OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the active exploitation risk these flaws pose to federal and private sector networks. The most recent addition is CVE-2021-26828, an unrestricted file upload vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files on both Linux and Windows versions of OpenPLC ScadaBR. An additional vulnerability, CVE-2021-26829, a cross-site scripting (XSS) flaw, was also recently added to the catalog, impacting similar versions of the software. CISA has mandated that federal agencies remediate these vulnerabilities by December 24, 2025, in accordance with Binding Operational Directive 22-01, and strongly encourages private organizations to do the same to mitigate the risk of exploitation. These vulnerabilities are considered significant attack vectors for malicious cyber actors, as they can enable remote code execution and compromise of industrial control systems. The KEV catalog serves as a prioritized list for vulnerability management, and CISA's advisories stress the importance of timely remediation to protect critical infrastructure. Organizations are urged to review the KEV catalog and address these vulnerabilities promptly to reduce their exposure to active threats targeting OpenPLC ScadaBR deployments.
Mar 21, 2026