Advantech ADAM-5630
has built-in commands that can be executed without authenticating the
user. These commands allow for restarting the operating system,
rebooting the hardware, and stopping the execution. The commands can be
sent to a simple HTTP request and are executed by the device
automatically, without discrimination of origin or level of privileges
of the user sending the commands.
Credits
Aarón Flecha Menéndez and Luis Villalba Pérez of S21sec reported these vulnerabilities to CISA.
