CVE-2021-21934: 
Advantech R-SeeNet vulnerability analysis and mitigation

A specially-crafted HTTP request can lead to SQL injection in Advantech R-SeeNet 2.4.15 (30.07.2021). The vulnerability exists in the 'imei_filter' parameter, where an attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery (Talos Intelligence).

The vulnerability occurs when the imei_filter parameter is set as a session variable on line 274 of device_list.php. The variable is then used on line 619 to build up a SQL query which gets executed on line 869. Despite initial sanitization, the protection is lost when invoked against the database due to misuse of prepared statements in combination with stored procedures and SQL concatenation (Talos Intelligence). The vulnerability has been assigned a CVSS v3 base score of 7.7 with vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (CISA).

Successful exploitation of this vulnerability could allow an authenticated attacker to retrieve any information from the product's database through SQL injection (CISA).

Advantech recommends updating to Version 2.4.17 or later. Additionally, CISA recommends minimizing network exposure for all control system devices, ensuring they are not accessible from the Internet, and locating control system networks and remote devices behind firewalls isolated from the business network (CISA).