CVE-2019-3954
published 2019-06-19CVE-2019-3954: Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.91%
89.0th percentile
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | webaccess | — | — |
| advantech_webaccess | scada | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation of CVE-2019-3954 by monitoring for IOCTL 81024 RPC calls to Advantech WebAccess/SCADA nodes, particularly those with oversized attacker-controlled data in the pNode and pProject fields that trigger a stack overflow in VdBroadWinGetLocalDataLogEx(). ↗
- →Look for crash signatures or access violations in viewdll1.dll at VdBroadWinGetLocalDataLogEx+0x15a with EIP/stack overwritten with repeated 0x41 bytes (classic buffer overflow pattern), indicating active exploitation attempts. ↗
- →Monitor for exception handler chain corruption in msvcrt!_output_l triggered from viewdll1.dll sprintf calls, which is the exploitable condition identified for CVE-2019-3954. ↗
- →The format string '%s%s_%s\sysinfo.ini' in viewdll1.dll is the target of the overflow; monitor for abnormally large RPC input buffers destined for WebAccess Node processes that would overflow the fixed-size stack buffer at var_634. ↗
- ·The vulnerability is unauthenticated and remotely exploitable — no credentials are required to trigger the IOCTL 81024 RPC stack overflow, meaning network-level access to the WebAccess Node RPC service is sufficient for exploitation. ↗
- ·The vulnerable code path is specifically within the VdBroadWinGetLocalDataLogEx() function in viewdll1.dll; patching or replacing this DLL is required to remediate the vulnerability in Advantech WebAccess/SCADA 8.4.0. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2019-06-19
Published