Advantech is providing IoT software company. It is providing HMI, Web access platform, and HTML-5 based user interface. Therefore, I keep research on the devices.

After the research of IoT devices, I have found some of systems don’t have the password. Anonymous user can easily enter his system. This is a critical vulnerability to open your machine and don’t have a strong password. I always wondering about IoT devices and It’s vulnerability. I know the powerful device search engine zoomeye. After more research, The leader of Knownsec 404 team Heigh (@80vul) He tweeted about Advantech and zoomeye dork.

In the end, I am confused where should I have to report about this? Is this mistake of the Advantech they didn’t provide any default password or Mistake of the company who didn’t set the password.

Proof of concept.



Please enter your comment!
Please enter your name here