CVE-2021-21915: 
Advantech R-SeeNet vulnerability analysis and mitigation

CVE-2021-21915 is a SQL injection vulnerability discovered in Advantech R-SeeNet version 2.4.15 (30.07.2021). The vulnerability exists in the 'group_list' page, specifically in the 'company_filter' parameter. The vulnerability was discovered by Yuri Kramarz of Cisco Talos and was publicly disclosed on November 22, 2021, after the vendor patched it on November 16, 2021. The vulnerability received a CVSS v3 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) (Talos Report).

The vulnerability stems from the misuse of prepared statements in the application's SQL database operations. Specifically, in the 'group_list' page, the 'company_filter' parameter is set as a session variable on line 100 of group_list.php. The vulnerability occurs when this variable is used on line 220 to build an SQL query, which is then executed on line 252. Despite initial sanitization attempts using mysqli_real_escape_string, the protection is lost when invoked against the database due to the way SQL concatenation is combined with stored procedures (Talos Report).

A successful exploitation of this vulnerability could allow an authenticated attacker to perform SQL injection attacks. The vulnerability has a high confidentiality impact, potentially allowing attackers to retrieve sensitive information from the product's database. The vulnerability affects the system's confidentiality but does not impact integrity or availability (CISA Advisory).

Advantech addressed this vulnerability in version 2.4.17 or later. Organizations are recommended to update to the latest version. Additionally, CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the Internet, and using secure methods such as VPNs when remote access is required (CISA Advisory).