CVE-2023-3256: 
Advantech R-SeeNet vulnerability analysis and mitigation

Advantech R-SeeNet version 2.4.22 and prior versions contain a vulnerability that allows low-level users to access and load the content of local files. The vulnerability was discovered by security researcher Esjay (@esj4y) working with Trend Micro Zero Day Initiative and was assigned CVE-2023-3256. The issue was disclosed to the vendor on December 23, 2022, and was publicly announced in June 2023 (CISA Advisory, ZDI Advisory).

The vulnerability exists within the device_status page and stems from improper validation of user-supplied data before passing it to a PHP include function. It has been assigned CWE-73 (External Control of File Name or Path) and CWE-610 (Externally Controlled Reference to a Resource in Another Sphere). The vulnerability has received a CVSS v3.1 base score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and requiring low privileges (CISA Advisory, NVD).

Successful exploitation of this vulnerability allows attackers to escalate privileges to access resources normally protected from the user. The vulnerability affects critical infrastructure sectors including Critical Manufacturing, Energy, Water and Wastewater Systems worldwide (CISA Advisory, ZDI Advisory).

Advantech has released R-SeeNet version 2.4.23 which fixes the vulnerability. Users are recommended to upgrade to this version. Additionally, CISA recommends implementing defensive measures including following the least-privilege user principle, minimizing network exposure, locating control system networks behind firewalls, and using secure methods for remote access such as VPNs (CISA Advisory).