Urgent Advantech Alert: Critical Flaws (CVSS 9.6) Expose Industrial Automation to Remote Takeover, PoC Releases

The Phantom The Cyber Security Agency (CSA) of Singapore has issued an urgent security advisory highlighting multiple high-impact vulnerabilities affecting Advantech’s industrial automation products, specifically the WISE-4010LAN, WISE-4050LAN, and WISE-4060LAN series. These devices are widely deployed in Industrial Control Systems (ICS), and exploitation of the flaws could lead to remote takeovers, system reboots, modbus manipulation, and even physical device compromise.

According to CSA, the vulnerabilities—tracked as CVE-2025-48461 through CVE-2025-48470—have been addressed by Advantech through security patches and mitigation strategies, but urgent action is still required by system administrators.

Among the eight disclosed CVEs, several stand out due to their potential for unauthenticated remote exploitation, critical infrastructure control, and persistent access:

• CVE-2025-48469 (CVSS 9.6): Allows unauthenticated attackers to upload firmware via a public update page, opening the door to backdoor installations or privilege escalation.
• CVE-2025-48466 (CVSS 8.1): Lets a remote attacker send malicious Modbus TCP packets to manipulate digital outputs, effectively gaining physical control over relay switches—an alarming risk to industrial operations.
• CVE-2025-48461 (CVSS 5.0): Involves predictable session cookies, enabling brute-force account takeovers and unauthorized access to root/admin accounts.

“Successful exploitation of the vulnerability could allow an unauthenticated attacker to conduct brute force guessing and account takeover… potentially allowing the attackers to gain root, admin or user access and reset passwords,” warns the CSA.

Additionally, CVE-2025-48468 exposes a physical vector, allowing attackers with JTAG access to inject or modify firmware, though this has been mitigated in newer firmware builds.

Adding urgency to the situation, public PoC exploit codes have been released for two critical CVEs:

• CVE-2025-48466 – Modbus Relay Manipulation
• CVE-2025-48469 – Unauthenticated Firmware Upload

These proofs demonstrate real-world exploitability and increase the risk of widespread attacks, especially in environments that have not yet implemented the fixes.

The CSA outlines a two-pronged mitigation strategy based on the severity of the vulnerabilities:

1. Enable “Security Mode”

Applies to CVE-2025-48461, CVE-2025-48462, CVE-2025-48463, CVE-2025-48469, CVE-2025-48470.

“Security Mode restricts access to unsecured web interfaces and disables unnecessary services to reduce attack surfaces.”

2. Firmware Update to A2.02 B00

Covers CVE-2025-48466, CVE-2025-48467, and CVE-2025-48468. Key changes include:

• Manual disablement of Modbus TCP (if not in use).
• JTAG interface disabled by default during normal operation.

“Users and administrators of affected products are encouraged to update and implement the recommended mitigation measures,” the CSA advisory states.

Firmware and guidance are available here.

Related Posts:

• Over-the-Air Vulnerabilities in Advantech EKI Access Points Put Industrial Networks at Risk
• FrostyGoop: New ICS Malware Exploits Modbus TCP Protocol
• CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
• Chinese Hackers Suspected in Ivanti CSA Attacks: Webshells and Lateral Movement Detected Sources and related content
• Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure