CVE-2023-32540 HIGH

CVE-2023-32540

Vendor Advantech

Product WebAccess/SCADA

Weakness CWE-94 · Code injection

Published June 5, 2023

Last update January 8, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution.

Key dates

02Disclosure timeline

June 5, 2023 CVE published

January 8, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-32540 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/94.html

Related vulnerabilities

04Related CVE

CVE-2025-32432 Craft CMS Allows Remote Code Execution CVE-2025-42922 Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service) CVE-2025-9539 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation CVE-2023-4142 WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) Remote Code Execution CVE-2026-33334 Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration