cbcvebase.
CVE-2016-0856
published 2016-01-15

CVE-2016-0856: Multiple stack-based buffer overflows in Advantech WebAccess before 8.1 allow remote attackers to execute arbitrary code via unspecified vectors.

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
16.66%
96.6th percentile
Multiple stack-based buffer overflows in Advantech WebAccess before 8.1 allow remote attackers to execute arbitrary code via unspecified vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
advantechwebaccess<= 8.0

Detection & IOCsextracted from sources · hover to see the quote

port4592
port14592
processwebvrpcs.exe
processdatacore.exe
filenameBwOpcSvc.dll
commandIOCTL 0x1388B
  • Monitor TCP traffic on ports 4592 and 14592 for unauthenticated RPC calls to webvrpcs.exe and datacore.exe; both interfaces accept connections from remote unauthenticated clients.
  • Detect RPC attack packets targeting CVE-2016-0856 by looking for the IOCTL value 0x01388b in the payload on TCP port 4592, combined with an oversized input string (length field 0x8c / 140 bytes) exceeding the 0x80-byte stack buffer in BwOpcSvc.dll.
  • Alert on unexpected crashes or restarts of webvrpcs.exe; the watchdog process webvkeep will automatically restart it after a crash, which may indicate repeated exploitation attempts.
  • ·The vulnerability exists in Advantech WebAccess version 8.0 and was fixed in version 8.2; version 8.1 is also listed as vulnerable per the NVD advisory.
  • ·The RPC service webvrpcs.exe runs as local administrator, meaning successful exploitation grants SYSTEM-level equivalent privileges on the target.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.