An attacker could use a specially crafted URL to delete or read files outside the WebAccess/NMS's (versions before 3.0.2) control.
advantech webaccess\\/nms