Primary

Context

Advantech WebAccess/VPN Command Injection Vulnerability in AppManagementController

Vulnerability

A command injection vulnerability has been identified in Advantech WebAccess/VPN versions prior to 1.1.5. The issue resides in the AppManagementController.appUpgradeAction() method, where an authenticated system administrator can execute arbitrary commands as the web server user (www-data) by providing a specially crafted uploaded filename.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, executed as the web server user (www-data).

Remediation

Users are advised to upgrade to Advantech WebAccess/VPN version 1.1.5.

Added: Nov 6, 2025, 10:06 PM

Updated: Nov 6, 2025, 10:06 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.8

remediation

7.7

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.8

remediation

7.7

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Advantech WebAccess/VPN Command Injection Vulnerability in AppManagementController

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating