Moxa Active OPC Server Unquoted Service Path Escalation Vulnerability CVE-2016-5793
Moxa reports that the vulnerability affects the following product:
- Active OPC Server versions older than Version 2.4.19
The affected product, Active OPC Server, is a software package that operates as an OPC driver for an HMI or SCADA system. According to Moxa, Active OPC Server is deployed across several sectors including Commercial Facilities,
UNQUOTED SERVICE PATH
This vulnerability allows an authorized individual with access to a file system to possibly escalate privileges by inserting arbitrary code into the unquoted service path.
Moxa recommends replacing existing Active OPC Server installations with the new software MX-AOPC UA server. Active OPC Server is nearing end of life by the end of 2016, and no further updates will be issued.
For existing Active OPC installations, Moxa suggests upgrading to Active OPC Server Version 2.4.19. http://www.moxa.com/support