cbcvebase.
CVE-2016-0854
published 2016-01-15

CVE-2016-0854: Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.11%
99.5th percentile
Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech WebAccess before 8.1 allows remote attackers to write to files of arbitrary types via unspecified vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
advantechwebaccess<= 8.0

Detection & IOCsextracted from sources · hover to see the quote

url/WADashboard/ajax/UploadAjaxAction.aspx
path/WADashboard/ajax/UploadAjaxAction.aspx
filename*.aspx (random 5-char alpha name)
  • Detect unauthenticated multipart POST requests to /WADashboard/ajax/UploadAjaxAction.aspx with actionName=uploadFile, indicating exploitation of the arbitrary file upload endpoint.
  • Alert on HTTP 200 responses from UploadAjaxAction.aspx whose body contains the JSON pattern {"resStatus":"0","resString":"/..."}, confirming a successful malicious file upload.
  • Monitor for GET requests to /WADashboard/<filename>.aspx immediately following a POST upload to UploadAjaxAction.aspx, indicating the attacker is triggering execution of the uploaded webshell.
  • Flag the presence of the waUserName=admin cookie in requests to the UploadAjaxAction endpoint; the exploit sets this cookie without prior authentication to bypass access controls.
  • Uploaded ASPX webshells will execute under the IIS AppPool high-privilege context; monitor IIS worker process (w3wp.exe) for spawning unexpected child processes after a file upload event.
  • Fingerprint vulnerable installations by checking the HTTP response body for the pattern 'Software Build : 8.0-' to identify Advantech WebAccess 8.0 targets before exploitation.
  • ·The exploit requires no authentication; the waUserName=admin cookie is set client-side by the attacker and is not validated server-side, meaning network-level controls blocking unauthenticated access to /WADashboard/ are the primary mitigation.
  • ·The vulnerability is confirmed only against Advantech WebAccess 8.0; the Metasploit module checks for exactly version 8.0 and marks other versions as Safe, so detections should be scoped accordingly.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.