cbcvebase.
CVE-2017-16716
published 2018-01-05

CVE-2017-16716: A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands.

PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.01%
92.4th percentile
A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
advantechwebaccess< 8.38.3

Detection & IOCsextracted from sources · hover to see the quote

urlLogin/<project>/notadmin'%20or%20'x'%3D'x/nopass
commandnotadmin' or 'x'='x
  • Monitor HTTP GET requests to the WebAccess Login endpoint containing URL-encoded SQL injection payloads, specifically the pattern '%20or%20' or the literal string "notadmin' or 'x'='x" in the URL path.
  • Detect responses from the WebAccess Login endpoint containing the string 'OK TOKEN', which indicates a successful authentication bypass via SQL injection.
  • The exploit targets the user parameter in the Login URL path (not a POST body), so inspect URL path segments — not just query strings — for SQL injection patterns on WebAccess login routes.
  • Alert on WebAccess versions prior to 8.3 receiving GET requests to the Login/ path with single-quote characters (%27 or literal ') in the username path segment.
  • ·The exploit first enumerates available project names before injecting; detection should also cover reconnaissance GET requests to the WebAccess project-listing endpoint, not only the Login path.
  • ·The returned authentication token from a successful bypass can be reused for further transactions against the WebAccess API; a single successful bypass event may be followed by additional authenticated API calls that should also be monitored.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.