Dangerous vulnerabilities have been identified in Advantech WebAccess HMI Designer, a SCADA/HMI development solution. Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on a target system using specially crafted .pm3 files. Processing such files may result in heap-based buffer overflow (CVE-2018-8833), double-free condition (CVE-2018-8835) and out-of-bounds write (CVE-2018-8837).
The vulnerabilities affect all versions of the software up to 188.8.131.52 (inclusive). Their severity is rated as medium (CVSS v.3 base score of 6.3).
Advantech is working on a solution for this issue.