An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions before 3.0.2) control.
advantech webaccess\\/nms