CVE-2014-2367 in WebAccess
Summary
by MITRE
The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/06/2025
The vulnerability identified as CVE-2014-2367 represents a critical file inclusion flaw within Advantech WebAccess software version 7.1 and earlier, specifically affecting the ActiveX control component. This issue resides in the ChkCookie subroutine located within the broadweb/include/gChkCook.asp file, which forms part of the broader web-based industrial automation platform. The vulnerability stems from inadequate input validation and improper access controls within the ActiveX control implementation, creating a pathway for malicious actors to exploit the system's file handling mechanisms.
The technical exploitation of this vulnerability occurs through a crafted call to the ChkCookie subroutine that bypasses normal file access restrictions. Attackers can manipulate the ActiveX control to read arbitrary files from the server filesystem by constructing specific parameters that are not properly sanitized or validated. This flaw operates under the principle of insecure direct object reference, where the application provides direct access to objects based on user-supplied input without proper authorization checks. The vulnerability is classified as a path traversal issue that allows unauthorized file access, potentially exposing sensitive system files, configuration data, or user information.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable attackers to gain unauthorized access to critical system resources within the industrial control environment. The exploitation can lead to complete system compromise, particularly in industrial settings where WebAccess is deployed for monitoring and control operations. Attackers may leverage this vulnerability to access sensitive operational data, manipulate control systems, or establish persistent access points within the network infrastructure. The vulnerability affects the confidentiality and integrity of the system, potentially disrupting industrial processes and creating security breaches in critical infrastructure environments.
Mitigation strategies for CVE-2014-2367 should include immediate patching of Advantech WebAccess to version 7.2 or later, which contains the necessary fixes for the ActiveX control vulnerability. Organizations should also implement network segmentation to isolate industrial control systems from general network access, deploy intrusion detection systems to monitor for exploitation attempts, and conduct regular security assessments of web-based industrial applications. The vulnerability aligns with CWE-22 Path Traversal and CWE-23 Relative Path Traversal, representing a classic example of improper input validation in web applications. From an ATT&CK framework perspective, this vulnerability maps to T1059 Command and Scripting Interpreter and T1566 Phishing, as attackers may use this weakness to gain initial access and establish persistent presence within industrial networks. Organizations should also consider implementing web application firewalls and restricting ActiveX control usage to minimize the attack surface and prevent exploitation of similar vulnerabilities in the future.