A total of 20 security flaws, including six rated as critical, have been uncovered in Advantech’s EKI industrial-grade Wi-Fi access points, with the potential to allow attackers to bypass authentication, execute remote code, and fully compromise affected devices.
“These vulnerabilities pose serious threats, including unauthorized remote code execution with root privileges, jeopardizing the confidentiality, integrity, and availability of the devices,” cybersecurity firm Nozomi Networks stated in a recent analysis.
Affected Devices and Fixed Firmware Versions
The flaws have been patched in the following firmware versions:
- Version 1.6.5 for EKI-6333AC-2G and EKI-6333AC-2GD
- Version 1.2.2 for EKI-6333AC-1GPO
The Scope of the Threats
Six critical vulnerabilities are of particular concern, enabling attackers to gain persistent access, plant backdoors, launch denial-of-service (DoS) attacks, and transform compromised endpoints into Linux workstations for lateral movement within a network.
Five of these critical vulnerabilities (CVE-2024-50370 to CVE-2024-50374, CVSS scores: 9.8) involve improper neutralization of OS command elements. The sixth, CVE-2024-50375 (CVSS score: 9.8), relates to missing authentication for a critical function.
Additionally, CVE-2024-50376 (CVSS score: 7.3), a cross-site scripting (XSS) vulnerability, can be chained with CVE-2024-50359 (CVSS score: 7.2), an authenticated OS command injection flaw, to achieve over-the-air arbitrary code execution.
Attack Vectors and Exploitation Details
An attack requires the adversary to be near the Advantech device and set up a rogue access point. The vulnerability is triggered when an administrator visits the “Wi-Fi Analyzer” section of the device’s web application. Malicious data embedded in beacon frames from the rogue access point is processed without proper sanitization, allowing attackers to exploit CVE-2024-50376.
By broadcasting a malicious SSID containing a JavaScript payload, attackers can execute XSS attacks, which could escalate into OS-level command injection (CVE-2024-50359), granting root access to the device. This could lead to the creation of reverse shells, providing the attacker with persistent control and the ability to infiltrate networks, extract sensitive data, and deploy further malware.
Immediate Action Required
Administrators are strongly advised to update their devices to the latest firmware versions to mitigate these risks. Failing to do so leaves networks vulnerable to severe attacks capable of compromising device functionality and broader network security.
