Recent disclosures have unveiled nearly two dozen vulnerabilities in Advantech’s industrial-grade wireless access points, a suite of devices that are integral to operational technology networks. Among these vulnerabilities, several are critical, enabling potential attackers to bypass authentication protocols and execute code at elevated privileges, thereby posing substantial risks to the integrity and availability of the devices.
Cybersecurity firm Nozomi Networks highlighted in their analysis that these flaws permit unauthenticated remote code execution, effectively compromising the confidentiality of the affected endpoints. Following responsible disclosure, relevant firmware versions have been released to mitigate these issues, specifically versions 1.6.5 for the EKI-6333AC-2G and EKI-6333AC-2GD models, and version 1.2.2 for the EKI-6333AC-1GPO.
Of the 20 vulnerabilities identified, six have been classified as critical. Notably, these critical threats include the installation of persistent backdoors, potential denial-of-service (DoS) attacks, and the repurposing of infected systems as Linux workstations, which could enhance lateral movement within the network. Most concerning are five of these critical vulnerabilities (CVE-2024-50370 through CVE-2024-50374) that arise from flaws in the handling of special elements in operating system commands, which have been assigned a CVSS score of 9.8. Another critical vulnerability, CVE-2024-50375, which also holds a CVSS score of 9.8, centers around missing authentication for a crucial function.
Additionally, CVE-2024-50376, presenting a CVSS score of 7.3, constitutes a cross-site scripting vulnerability likely to be exploited alongside CVE-2024-50359, scoring 7.2, an example of command injection requiring authentication. This dual exploitation could enable attackers to achieve arbitrary code execution remotely, albeit requiring them to be positioned in close physical proximity to the vulnerable access points to transmit specially crafted data through a rogue access point.
The attack mechanism unfolds when an administrator interacts with the “Wi-Fi Analyzer” section of the device’s web application. The interaction triggers the application to integrate information from beacon frames broadcast by the attacker without executing necessary data sanitization checks. Through this exploitation vector, malicious actors can insert JavaScript payloads via the rogue access point’s SSID, leveraging the vulnerabilities to execute arbitrary JavaScript code within the victim’s browser context.
The outcome is particularly troubling: it allows adversaries to commandeer the compromised devices, executing commands with root privileges, potentially creating reverse shells that facilitate ongoing access for malicious actors. This scenario sets the stage for deeper network infiltration, where attackers can siphon data or deploy further malicious scripts to expand their foothold.
Given the nature of these vulnerabilities and the potential for significant exploitation, business owners should remain vigilant. It is crucial for organizations utilizing Advantech’s wireless access points to apply the latest firmware updates promptly and review security measures to safeguard against these identified risks.
The implications of such vulnerabilities extend beyond just individual devices; they underscore the need for robust cybersecurity practices that can withstand sophisticated attacks leveraging the MITRE ATT&CK framework, which includes tactics like initial access, persistence, and privilege escalation. The landscape of cybersecurity threats is ever-evolving, and businesses must adapt proactively to mitigate risks effectively.
