CVE-2014-0773

The CreateProcess method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX control in bwocxrun.ocx in Advantech WebAccess before 7.2 allows remote attackers to execute (1) setup.exe, (2) bwvbprt.exe, and (3) bwvbprtl.exe programs from arbitrary pathnames via a crafted argument, as demonstrated by a UNC share pathname.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
icscertCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
advantechadvantech_webaccess
𝑥
≤ 7.1
advantechadvantech_webaccess
5.0
advantechadvantech_webaccess
6.0
advantechadvantech_webaccess
7.0
𝑥
= Vulnerable software versions
References
http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03
http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03