cbcvebase.
CVE-2018-14806
published 2018-10-23

CVE-2018-14806: Advantech WebAccess 8.3.1 and earlier has a path traversal vulnerability which may allow an attacker to execute arbitrary code.

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.78%
90.8th percentile
Advantech WebAccess 8.3.1 and earlier has a path traversal vulnerability which may allow an attacker to execute arbitrary code.

Affected

2 ranges
VendorProductVersion rangeFixed in
advantechadvantech_webaccess
advantechwebaccess<= 8.3.1

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2018-14806 is a path traversal vulnerability (CWE-22) in Advantech WebAccess versions 8.3.1 and prior, exploitable remotely with no authentication required (CVSS v3 9.8: AV:N/AC:L/PR:N/UI:N). Detection should focus on path traversal patterns in HTTP requests targeting WebAccess endpoints.
  • No known public exploits were identified at time of advisory publication, but the vulnerability is rated exploitable remotely with low skill level. Monitor WebAccess network traffic for anomalous directory traversal sequences (e.g., '../' or '%2e%2e%2f') in request paths.
  • Affected product scope: Advantech WebAccess Versions 8.3.1 and prior. Presence of these versions on internet-accessible hosts should be treated as high-risk exposure given the network-exploitable, no-auth attack vector.
  • ·The advisory covers four distinct CVEs (CVE-2018-14816, CVE-2018-14820, CVE-2018-14828, CVE-2018-14806) under the same advisory ICSA-18-296-01. Ensure detections are scoped specifically to CVE-2018-14806 (path traversal / CWE-22) and not conflated with the stack-based buffer overflow (CVE-2018-14816), file deletion (CVE-2018-14820), or privilege management (CVE-2018-14828) issues.
  • ·The sources provide no specific filenames, hashes, URLs, IPs, or exploit payloads associated with CVE-2018-14806. No concrete IOCs are available from these documents; operational detection must rely on behavioral/traffic-based indicators until further technical analysis is published.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.