{"cve":{"cve_id":"CVE-2014-0773","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.02519,"epss_percentile":0.82783,"epss_as_of":"2026-06-23","description":"The BWOCXRUN.BwocxrunCtrl.1 control contains a method named \n“CreateProcess.” This method contains validation to ensure an attacker \ncannot run arbitrary command lines. After validation, the values \nsupplied in the HTML are passed to the Windows CreateProcessA API.\n\n\nThe validation can be bypassed allowing for running arbitrary command\n lines. The command line can specify running remote files (example: UNC \ncommand line).\n\n\nA function exists at offset 100019B0 of bwocxrun.ocx. Inside this \nfunction, there are 3 calls to strstr to check the contents of the user \nspecified command line. If “\\setup.exe,” “\\bwvbprt.exe,” or \n“\\bwvbprtl.exe” are contained in the command line (strstr returns \nnonzero value), the command line passes validation and is then passed to\n CreateProcessA.","published_at":"2014-04-12T01:00:00Z","last_modified_at":null,"cvss_v3_score":null,"cvss_v3_vector":null,"cvss_v3_severity":null,"cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-77"],"nvd_references":["https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03","http://www.securityfocus.com/bid/66740","http://webaccess.advantech.com/"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:07:06.086468Z"},"effective_severity":null,"badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":null,"metrics":[]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"advantech","vendor_name":"Advantech","product_slug":"webaccess","product_name":"WebAccess","version_start":"0","version_start_inclusive":true,"version_end":"7.1","version_end_inclusive":true,"cpe23_uri":"cve5:advantech:webaccess:0:7.1"},{"vendor_slug":"advantech","vendor_name":"Advantech","product_slug":"webaccess","product_name":"WebAccess","version_start":"7.2","version_start_inclusive":true,"version_end":"7.2","version_end_inclusive":true,"cpe23_uri":"cve5:advantech:webaccess:7.2:7.2"}],"exploit_refs":[],"news":[],"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03","source_type":"VENDOR_ADVISORY","tags":["advisory"]},{"url":"http://www.securityfocus.com/bid/66740","source_type":"MISC","tags":[]},{"url":"http://webaccess.advantech.com/","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2014-04-12T01:00:00Z","label":"CVE published","source":null}]}