CVE-2014-0772 in WebAccess
Summary
by MITRE
The BWOCXRUN.BwocxrunCtrl.1 control contains a method named OpenUrlToBufferTimeout. This method takes a URL as a parameter and returns its contents to the caller in JavaScript. The URLs are accessed in the security context of the current browser session. The control does not perform any URL validation and allows file:// URLs that access the local disk.
The method can be used to open a URL (including file URLs) and read the URLs through JavaScript. This method could also be used to reach any arbitrary URL to which the browser has access.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/10/2026
The vulnerability identified as CVE-2014-0772 represents a critical security flaw within Advantech WebAccess software version 7.1 and earlier, specifically affecting the BWOCXRUN.BwocxrunCtrl.1 ActiveX control. This issue stems from improper input validation and handling within the OpenUrlToBufferTimeout method, which creates a dangerous path traversal condition that can be exploited by remote attackers. The vulnerability exists in the bwocxrun.ocx component that is part of the broader Advantech WebAccess platform used for industrial automation and monitoring systems, making it particularly concerning for operational technology environments where security is paramount.
The technical exploitation of this vulnerability occurs through the manipulation of file: URLs within the ActiveX control's OpenUrlToBufferTimeout method. When an attacker crafts a malicious file: URL pointing to a local file on the target system, the vulnerable ActiveX control attempts to read and buffer the contents of that file without proper authorization checks. This allows arbitrary file read access to files that should normally be protected from external access, potentially exposing sensitive system files, configuration data, or even credentials stored locally on the system. The vulnerability falls under CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable attackers to gain deeper insights into the target system's configuration and potentially escalate privileges. In industrial control systems where Advantech WebAccess is deployed, this vulnerability could allow adversaries to access critical system files, configuration parameters, or even sensitive operational data that could be used for further attacks or system compromise. The remote nature of the exploitation means that attackers do not require physical access to the system, making this vulnerability particularly dangerous for environments where network exposure is inevitable.
Security practitioners should implement immediate mitigations including updating to Advantech WebAccess version 7.2 or later, which contains the necessary patches to address this vulnerability. Network segmentation and access controls should be reinforced to limit exposure of systems running vulnerable ActiveX components. The use of browser security features such as ActiveX filtering, sandboxing, and strict security zones can help prevent exploitation. Additionally, this vulnerability aligns with ATT&CK technique T1059.007 for Windows Command Shell and T1071.004 for Application Layer Protocol: DNS, as attackers may use this vulnerability to gather system information and potentially establish further footholds within the network infrastructure. Organizations should also conduct thorough security assessments to identify any other ActiveX controls or components that may be vulnerable to similar path traversal attacks, particularly in legacy industrial control systems where patch management may be challenging.