CVE-2021-21937: 
Advantech R-SeeNet vulnerability analysis and mitigation

A specially-crafted HTTP request can lead to SQL injection in Advantech R-SeeNet version 2.4.15. The vulnerability exists in the 'hostaltfilter' parameter, where an attacker can make authenticated HTTP requests to trigger this vulnerability. This can be executed by any authenticated user or through cross-site request forgery (Talos Advisory).

The vulnerability is classified as CWE-89 (SQL Injection) with a CVSS v3.1 base score of 6.5 MEDIUM (NIST) and 7.7 HIGH (Talos). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue occurs due to misuse of prepared statements in the context of the application, along with stored procedures combined with SQL concatenation in such way that variables used to build up an SQL query, despite being initially sanitized, lose that protection when invoked against the database (Talos Advisory, NVD).

A successful exploitation of this vulnerability could allow an attacker to retrieve any information from the product's database through SQL injection (CISA Advisory).

Advantech recommends updating to Version 2.4.17 or later. Additionally, CISA recommends minimizing network exposure for all control system devices, ensuring they are not accessible from the Internet, and locating control system networks and remote devices behind firewalls and isolating them from the business network (CISA Advisory).