cbcvebase.
CVE-2019-3953
published 2019-06-18

CVE-2019-3953: Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.99%
89.2th percentile
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call.

Affected

2 ranges
VendorProductVersion rangeFixed in
advantechwebaccess
advantech_webaccessscada

Detection & IOCsextracted from sources · hover to see the quote

otherIOCTL 10012 RPC call
pathviewsrv.dll
pathC:\WebAccess\Node\viewdll1.dll
pathviewdll1.dll
  • Detect crafted IOCTL 10012 RPC calls targeting Advantech WebAccess/SCADA, which trigger a stack-based buffer overflow in viewsrv.dll via an unchecked sprintf into a fixed-size stack buffer.
  • Monitor for EIP/instruction pointer control with value 0x41414141 (classic buffer overflow pattern) in processes associated with WebAccess/SCADA RPC services.
  • Alert on access violations or crashes in viewsrv.dll or viewdll1.dll originating from unauthenticated remote RPC connections, particularly involving sprintf calls with attacker-controlled format strings.
  • Detect IOCTL 81024 RPC messages targeting VdBroadWinGetLocalDataLogEx() in viewdll1.dll as a related attack vector (CVE-2019-3954) on the same product.
  • Look for corruption of the exception handler chain in WebAccess/SCADA node processes as an indicator of active exploitation via the IOCTL 81024 overflow path.
  • ·The vulnerability affects Advantech WebAccess/SCADA version 8.4.0 specifically; verify the installed version before applying detection logic.
  • ·The overflow is triggered via an unauthenticated RPC call, meaning no credentials are required; network-level controls blocking RPC access to WebAccess/SCADA nodes are a critical mitigation layer.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.