Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet, potentially affecting data confidentiality, integrity, and availability. Users and administrators of affected product versions are advised to update to the latest versions immediately.
An attacker without any authentication can send a specially crafted network request to the Advantech IoT Suite service exposed to Internet access. The injected SQL commands are then executed directly by the vulnerable service without input data validation. The attack vector is network-based, does not require user interaction or special privileges, and its scope extends beyond the component where the vulnerability occurred (Scope: Changed).
An attacker can gain unauthorized access to data stored in the database, modify or delete this data, and potentially cause service unavailability — confidentiality, integrity, and system availability are threatened.
All mentioned products must be immediately updated to the latest versions according to manufacturer recommendations and information contained in the references. Until the patch is implemented, it is recommended to limit the exposure of vulnerable services to Internet access through a firewall or other network access control mechanisms.
Advantech IoT Edge Linux Docker, Advantech IoT Edge Windows, Advantech IoTSuite Growth Linux Docker, Advantech IoTSuite SaaS Composer, Advantech IoTSuite Starter Linux Docker — specific versions indicated in manufacturer references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAdvantech Iot Edge Linux Docker
APPAdvantech< 2.0.2Advantech Iot Edge Windows
APPAdvantech< 2.0.2Advantech Iotsuite Growth Linux Docker
APPAdvantech< 2.0.2Advantech Iotsuite Saas Composer
APPAdvantech< 3.4.15Advantech Iotsuite Starter Linux Docker
APPAdvantech< 2.0.2
Related vulnerabilities
Advantech WISE-DeviceOn Server — hardcoded klucz JWT umożliwia pełne przejęcie systemu
Advantech iView – Auth Bypass i SQL Injection prowadzące do RCE
Advantech iView – Auth Bypass + SQL Injection prowadzące do RCE
Advantech iView — Auth Bypass + SQL Injection prowadzący do RCE
Advantech WISE-40x0 — nieuwierzytelniony upload firmware (Auth Bypass)