How to remediate – Advantech WebAccess webvrpcs.exe Path Traversal RCE

Contents

1. Introduction

The Advantech WebAccess/SCADA Network Service vulnerability (webvrpcs.exe Path Traversal RCE) allows a remote attacker to execute arbitrary code on affected systems. This is due to improper validation of user input when processing DCERPC requests. Successful exploitation could lead to complete system compromise, data theft, or denial of service. SCADA and industrial control systems running WebAccess are typically affected. Impact: Confidentiality, Integrity, and Availability may be compromised.

2. Technical Explanation

Root cause: Failure to validate user-supplied input when processing DCERPC requests.
Exploit mechanism: An unauthenticated attacker can send a series of crafted DCERPC requests containing malicious paths, bypassing security checks and executing arbitrary code on the target system. For example, an attacker could use a specially crafted request to write a file to a location that allows for command execution.
Scope: Advantech WebAccess/SCADA Network Service versions prior to 8.3 are affected. Versions 8.3.1 and 8.3.2 have also been shown to be vulnerable despite initial reports of being fixed.

3. Detection and Assessment

To confirm vulnerability, check the WebAccess/SCADA service version. A thorough assessment involves network traffic analysis for malicious DCERPC requests.

Quick checks: Check the running process versions using Task Manager or PowerShell: Get-Process webvrpcs | Select-Object Version
Logs and evidence: Examine application logs for suspicious DCERPC requests or errors related to file access. Log files are typically located in the WebAccess installation directory; exact paths vary by configuration.

Get-Process webvrpcs | Select-Object Version

4. Solution / Remediation Steps

4.1 Preparation

Ensure you have access to the latest installation media for WebAccess/SCADA version 8.3.3 or later. A roll back plan involves restoring from the backup created in this step.
A change window may be required due to potential service disruption. Approval from system owners is recommended.

4.2 Implementation

Step 1: Download and install WebAccess/SCADA version 8.3.3 or later, following the vendor’s installation guide.
Step 2: Verify that the service has been upgraded successfully by checking the process version (as described in Section 3).
Step 3: Restart the WebAccess/SCADA service.

4.3 Config or Code Example

No configuration changes are required; this fix involves upgrading the software.

Before

WebAccess/SCADA version < 8.3 (vulnerable)

After

WebAccess/SCADA version 8.3.3 or later (patched)

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of vulnerability. Input validation is critical for blocking malicious requests. Least privilege limits the impact if an attacker gains access. A robust patch management process ensures timely updates.

Practice 1: Implement strict input validation on all user-supplied data to prevent injection attacks and path traversal attempts.
Practice 2: Apply the principle of least privilege, granting only necessary permissions to service accounts and users.

4.5 Automation (Optional)

Automated patching can be used for large deployments. Use caution when automating updates in production environments.

# Example PowerShell script snippet (use with caution):
# Stop-Service -Name "WebAccessSCADAService"
# Install-Package -Name "AdvantechWebAccess8.3.3" -Source "\networksharepatches"
# Start-Service -Name "WebAccessSCADAService"

5. Verification / Validation

Post-fix check: Run Get-Process webvrpcs | Select-Object Version and confirm the output shows version 8.3.3 or later.
Re-test: Attempt to exploit the vulnerability using a proof-of-concept tool (if available) or by sending crafted DCERPC requests. The attempt should fail.
Smoke test: Verify that users can still connect to the SCADA system and access key data.
Monitoring: Monitor application logs for errors related to file access or DCERPC processing. Look for any unusual activity.

Get-Process webvrpcs | Select-Object Version

6. Preventive Measures and Monitoring

Regular security baselines, vulnerability scanning, and a strong patch management process can help prevent similar issues. For example, update your CIS control implementation to include input validation checks.

Baselines: Update security baselines to require the latest WebAccess/SCADA version.
Pipelines: Integrate SAST or DAST tools into CI/CD pipelines to identify potential vulnerabilities in custom code.
Asset and patch process: Implement a regular patch review cycle for all SCADA systems, prioritizing critical vulnerabilities like this one.

7. Risks, Side Effects, and Roll Back

Risk or side effect 2: Service disruption during upgrade process. Mitigation: Schedule the upgrade during a maintenance window.
Roll back:
1. Stop the WebAccess/SCADA service.
2. Restart the WebAccess/SCADA service.

8. References and Resources

Official advisories provide detailed information about this vulnerability.

Vendor advisory or bulletin: https://ics-cert.us-cert.gov/advisories/ICSA-18-004-02A
NVD or CVE entry: CVE-2017-16720
Product or platform documentation relevant to the fix: No specific documentation available. Refer to Advantech support for upgrade instructions.

Updated on October 26, 2025

Was this article helpful?

Yes No