CVE-2021-21924: 
Advantech R-SeeNet vulnerability analysis and mitigation

A specially-crafted HTTP request can lead to SQL injection in Advantech R-SeeNet 2.4.15 (30.07.2021). The vulnerability exists in the 'desc_filter' parameter of the device_list page, where an attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery (Talos Intelligence).

The vulnerability exists due to misuse of prepared statements in the context of the application, along with stored procedures combined with SQL concatenation. Despite variables being initially sanitized, they lose that protection when invoked against the database. The vulnerability specifically affects the 'desc_filter' parameter which is set as a session variable and later used to build up a SQL query that gets executed. The CVSSv3 base score is 7.7 with vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (Talos Intelligence).

Successful exploitation of this vulnerability could allow an authenticated attacker to retrieve any information from the product's database through SQL injection (CISA).

Advantech recommends updating to Version 2.4.17 or later. Additionally, CISA recommends minimizing network exposure for all control system devices, ensuring they are not accessible from the Internet, and locating control system networks and remote devices behind firewalls isolated from the business network (CISA).