cbcvebase.
CVE-2019-3954
published 2019-06-19

CVE-2019-3954: Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.91%
89.0th percentile
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.

Affected

2 ranges
VendorProductVersion rangeFixed in
advantechwebaccess
advantech_webaccessscada

Detection & IOCsextracted from sources · hover to see the quote

otherIOCTL 81024 RPC call
pathC:\WebAccess\Node\viewdll1.dll
filenameviewdll1.dll
  • Detect exploitation of CVE-2019-3954 by monitoring for IOCTL 81024 RPC calls to Advantech WebAccess/SCADA nodes, particularly those with oversized attacker-controlled data in the pNode and pProject fields that trigger a stack overflow in VdBroadWinGetLocalDataLogEx().
  • Look for crash signatures or access violations in viewdll1.dll at VdBroadWinGetLocalDataLogEx+0x15a with EIP/stack overwritten with repeated 0x41 bytes (classic buffer overflow pattern), indicating active exploitation attempts.
  • Monitor for exception handler chain corruption in msvcrt!_output_l triggered from viewdll1.dll sprintf calls, which is the exploitable condition identified for CVE-2019-3954.
  • The format string '%s%s_%s\sysinfo.ini' in viewdll1.dll is the target of the overflow; monitor for abnormally large RPC input buffers destined for WebAccess Node processes that would overflow the fixed-size stack buffer at var_634.
  • ·The vulnerability is unauthenticated and remotely exploitable — no credentials are required to trigger the IOCTL 81024 RPC stack overflow, meaning network-level access to the WebAccess Node RPC service is sufficient for exploitation.
  • ·The vulnerable code path is specifically within the VdBroadWinGetLocalDataLogEx() function in viewdll1.dll; patching or replacing this DLL is required to remediate the vulnerability in Advantech WebAccess/SCADA 8.4.0.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.