Search criteria
137 vulnerabilities found for iView by Advantech
CVE-2025-13373 (GCVE-0-2025-13373)
Vulnerability from nvd – Published: 2025-12-04 22:50 – Updated: 2025-12-04 22:50
VLAI?
Summary
Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
m00nback reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"status": "affected",
"version": "5.7.05.7057"
},
{
"status": "unaffected",
"version": "5.8.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "m00nback reported this vulnerability to CISA."
}
],
"datePublic": "2025-12-04T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.\u003c/span\u003e"
}
],
"value": "Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:50:36.079Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-07"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-07.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech recommends users update to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183\"\u003eiView v5.8.1\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to iView v5.8.1 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-25-338-07",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-13373",
"datePublished": "2025-12-04T22:50:36.079Z",
"dateReserved": "2025-11-18T18:48:07.936Z",
"dateUpdated": "2025-12-04T22:50:36.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50595 (GCVE-0-2022-50595)
Vulnerability from nvd – Published: 2025-11-06 19:58 – Updated: 2025-11-15 23:59
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_search_value’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:32:39.463045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:33:36.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018ztp_search_value\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_search_value\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_search_value\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:59.400Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_search_value-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpsearchvalue-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 ztp_search_value Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50595",
"datePublished": "2025-11-06T19:58:23.068Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:59.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50591 (GCVE-0-2022-50591)
Vulnerability from nvd – Published: 2025-11-06 19:58 – Updated: 2025-11-15 23:58
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_config_id’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:36:05.770888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:36:15.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018ztp_config_id\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_config_id\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_config_id\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:58:29.068Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_config_id-parameter-sql-injection-information-disclosure-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpconfigid-parameter-sqli-information-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 ztp_config_id Parameter SQL Injection Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50591",
"datePublished": "2025-11-06T19:58:06.223Z",
"dateReserved": "2025-11-05T16:58:35.656Z",
"dateUpdated": "2025-11-15T23:58:29.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50593 (GCVE-0-2022-50593)
Vulnerability from nvd – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:59
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘search_term’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:53:42.734371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:02:21.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018data\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018search_term\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018search_term\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:11.781Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-search_term-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-searchterm-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 search_term Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50593",
"datePublished": "2025-11-06T19:57:44.271Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:11.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50592 (GCVE-0-2022-50592)
Vulnerability from nvd – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:58
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘getInventoryReportData’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50592",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:06:59.646737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:07:38.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018getInventoryReportData\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018getInventoryReportData\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018getInventoryReportData\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:58:49.386Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-getinventoryreportdata-parameter-sql-injection-information-disclosure/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-getinventoryreportdata-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 getInventoryReportData Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50592",
"datePublished": "2025-11-06T19:57:20.528Z",
"dateReserved": "2025-11-05T16:58:35.656Z",
"dateUpdated": "2025-11-15T23:58:49.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50594 (GCVE-0-2022-50594)
Vulnerability from nvd – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:59
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘data’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:09:23.817460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:10:30.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018data\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018data\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018data\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:29.701Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-page_action_service-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-data-parameter-sqli-information-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 data Parameter SQL Injection Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50594",
"datePublished": "2025-11-06T19:57:00.425Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:29.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53509 (GCVE-0-2025-53509)
Vulnerability from nvd – Published: 2025-07-10 23:29 – Updated: 2025-07-11 13:29
VLAI?
Summary
A vulnerability exists in Advantech iView that allows for argument
injection in the NetworkServlet.restoreDatabase(). This issue requires
an authenticated attacker with at least user-level privileges. An input
parameter can be used directly in a command without proper sanitization,
allowing arbitrary arguments to be injected. This can result in
information disclosure, including sensitive database credentials.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:29:30.324999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:29:37.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in the NetworkServlet.restoreDatabase(). This issue requires \nan authenticated attacker with at least user-level privileges. An input \nparameter can be used directly in a command without proper sanitization,\n allowing arbitrary arguments to be injected. This can result in \ninformation disclosure, including sensitive database credentials."
}
],
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in the NetworkServlet.restoreDatabase(). This issue requires \nan authenticated attacker with at least user-level privileges. An input \nparameter can be used directly in a command without proper sanitization,\n allowing arbitrary arguments to be injected. This can result in \ninformation disclosure, including sensitive database credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:29:10.103Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Argument Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53509",
"datePublished": "2025-07-10T23:29:10.103Z",
"dateReserved": "2025-07-02T15:12:58.651Z",
"dateUpdated": "2025-07-11T13:29:37.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52459 (GCVE-0-2025-52459)
Vulnerability from nvd – Published: 2025-07-10 23:28 – Updated: 2025-07-11 13:29
VLAI?
Summary
A vulnerability exists in Advantech iView that allows for argument
injection in NetworkServlet.backupDatabase(). This issue requires an
authenticated attacker with at least user-level privileges. Certain
parameters can be used directly in a command without proper
sanitization, allowing arbitrary arguments to be injected. This can
result in information disclosure, including sensitive database
credentials.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:29:50.282666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:29:56.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in NetworkServlet.backupDatabase(). This issue requires an \nauthenticated attacker with at least user-level privileges. Certain \nparameters can be used directly in a command without proper \nsanitization, allowing arbitrary arguments to be injected. This can \nresult in information disclosure, including sensitive database \ncredentials."
}
],
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in NetworkServlet.backupDatabase(). This issue requires an \nauthenticated attacker with at least user-level privileges. Certain \nparameters can be used directly in a command without proper \nsanitization, allowing arbitrary arguments to be injected. This can \nresult in information disclosure, including sensitive database \ncredentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:28:08.679Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Argument Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-52459",
"datePublished": "2025-07-10T23:28:08.679Z",
"dateReserved": "2025-07-02T15:12:58.643Z",
"dateUpdated": "2025-07-11T13:29:56.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-13373 (GCVE-0-2025-13373)
Vulnerability from cvelistv5 – Published: 2025-12-04 22:50 – Updated: 2025-12-04 22:50
VLAI?
Summary
Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
m00nback reported this vulnerability to CISA.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"status": "affected",
"version": "5.7.05.7057"
},
{
"status": "unaffected",
"version": "5.8.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "m00nback reported this vulnerability to CISA."
}
],
"datePublic": "2025-12-04T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.\u003c/span\u003e"
}
],
"value": "Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:50:36.079Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-07"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-07.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech recommends users update to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183\"\u003eiView v5.8.1\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to iView v5.8.1 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-25-338-07",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-13373",
"datePublished": "2025-12-04T22:50:36.079Z",
"dateReserved": "2025-11-18T18:48:07.936Z",
"dateUpdated": "2025-12-04T22:50:36.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50595 (GCVE-0-2022-50595)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:58 – Updated: 2025-11-15 23:59
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_search_value’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:32:39.463045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:33:36.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018ztp_search_value\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_search_value\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_search_value\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:59.400Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_search_value-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpsearchvalue-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 ztp_search_value Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50595",
"datePublished": "2025-11-06T19:58:23.068Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:59.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50591 (GCVE-0-2022-50591)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:58 – Updated: 2025-11-15 23:58
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_config_id’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:36:05.770888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:36:15.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018ztp_config_id\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_config_id\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_config_id\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:58:29.068Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_config_id-parameter-sql-injection-information-disclosure-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpconfigid-parameter-sqli-information-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 ztp_config_id Parameter SQL Injection Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50591",
"datePublished": "2025-11-06T19:58:06.223Z",
"dateReserved": "2025-11-05T16:58:35.656Z",
"dateUpdated": "2025-11-15T23:58:29.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50593 (GCVE-0-2022-50593)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:59
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘search_term’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:53:42.734371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:02:21.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018data\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018search_term\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018search_term\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:11.781Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-search_term-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-searchterm-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 search_term Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50593",
"datePublished": "2025-11-06T19:57:44.271Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:11.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50592 (GCVE-0-2022-50592)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:58
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘getInventoryReportData’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50592",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:06:59.646737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:07:38.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018getInventoryReportData\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018getInventoryReportData\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018getInventoryReportData\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:58:49.386Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-getinventoryreportdata-parameter-sql-injection-information-disclosure/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-getinventoryreportdata-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 getInventoryReportData Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50592",
"datePublished": "2025-11-06T19:57:20.528Z",
"dateReserved": "2025-11-05T16:58:35.656Z",
"dateUpdated": "2025-11-15T23:58:49.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50594 (GCVE-0-2022-50594)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:59
VLAI?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘data’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:09:23.817460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:10:30.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018data\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018data\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018data\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:29.701Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-page_action_service-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-data-parameter-sqli-information-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 data Parameter SQL Injection Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50594",
"datePublished": "2025-11-06T19:57:00.425Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:29.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53509 (GCVE-0-2025-53509)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:29 – Updated: 2025-07-11 13:29
VLAI?
Summary
A vulnerability exists in Advantech iView that allows for argument
injection in the NetworkServlet.restoreDatabase(). This issue requires
an authenticated attacker with at least user-level privileges. An input
parameter can be used directly in a command without proper sanitization,
allowing arbitrary arguments to be injected. This can result in
information disclosure, including sensitive database credentials.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:29:30.324999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:29:37.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in the NetworkServlet.restoreDatabase(). This issue requires \nan authenticated attacker with at least user-level privileges. An input \nparameter can be used directly in a command without proper sanitization,\n allowing arbitrary arguments to be injected. This can result in \ninformation disclosure, including sensitive database credentials."
}
],
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in the NetworkServlet.restoreDatabase(). This issue requires \nan authenticated attacker with at least user-level privileges. An input \nparameter can be used directly in a command without proper sanitization,\n allowing arbitrary arguments to be injected. This can result in \ninformation disclosure, including sensitive database credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:29:10.103Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Argument Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53509",
"datePublished": "2025-07-10T23:29:10.103Z",
"dateReserved": "2025-07-02T15:12:58.651Z",
"dateUpdated": "2025-07-11T13:29:37.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52459 (GCVE-0-2025-52459)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:28 – Updated: 2025-07-11 13:29
VLAI?
Summary
A vulnerability exists in Advantech iView that allows for argument
injection in NetworkServlet.backupDatabase(). This issue requires an
authenticated attacker with at least user-level privileges. Certain
parameters can be used directly in a command without proper
sanitization, allowing arbitrary arguments to be injected. This can
result in information disclosure, including sensitive database
credentials.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:29:50.282666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:29:56.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in NetworkServlet.backupDatabase(). This issue requires an \nauthenticated attacker with at least user-level privileges. Certain \nparameters can be used directly in a command without proper \nsanitization, allowing arbitrary arguments to be injected. This can \nresult in information disclosure, including sensitive database \ncredentials."
}
],
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in NetworkServlet.backupDatabase(). This issue requires an \nauthenticated attacker with at least user-level privileges. Certain \nparameters can be used directly in a command without proper \nsanitization, allowing arbitrary arguments to be injected. This can \nresult in information disclosure, including sensitive database \ncredentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:28:08.679Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Argument Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-52459",
"datePublished": "2025-07-10T23:28:08.679Z",
"dateReserved": "2025-07-02T15:12:58.643Z",
"dateUpdated": "2025-07-11T13:29:56.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53515 (GCVE-0-2025-53515)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:25 – Updated: 2025-07-11 13:57
VLAI?
Summary
A vulnerability exists in Advantech iView that allows for SQL injection
and remote code execution through NetworkServlet.archiveTrap(). This
issue requires an authenticated attacker with at least user-level
privileges. Certain input parameters are not sanitized, allowing an
attacker to perform SQL injection and potentially execute code in the
context of the 'nt authority\local service' account.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53515",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:57:29.867588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:57:41.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for SQL injection \nand remote code execution through NetworkServlet.archiveTrap(). This \nissue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not sanitized, allowing an \nattacker to perform SQL injection and potentially execute code in the \ncontext of the \u0027nt authority\\local service\u0027 account."
}
],
"value": "A vulnerability exists in Advantech iView that allows for SQL injection \nand remote code execution through NetworkServlet.archiveTrap(). This \nissue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not sanitized, allowing an \nattacker to perform SQL injection and potentially execute code in the \ncontext of the \u0027nt authority\\local service\u0027 account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:25:51.561Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53515",
"datePublished": "2025-07-10T23:25:51.561Z",
"dateReserved": "2025-07-02T15:12:58.638Z",
"dateUpdated": "2025-07-11T13:57:41.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2022-50595
Vulnerability from fkie_nvd - Published: 2025-11-06 20:15 - Updated: 2025-11-24 18:14
Severity ?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_search_value’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F719357-8063-4CD2-8275-57FC01CB52A1",
"versionEndExcluding": "5.7.04.6425",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_search_value\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"id": "CVE-2022-50595",
"lastModified": "2025-11-24T18:14:17.173",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-11-06T20:15:38.070",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_search_value-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpsearchvalue-parameter-sqli-rce"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
},
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-50592
Vulnerability from fkie_nvd - Published: 2025-11-06 20:15 - Updated: 2025-11-24 18:54
Severity ?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘getInventoryReportData’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F719357-8063-4CD2-8275-57FC01CB52A1",
"versionEndExcluding": "5.7.04.6425",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018getInventoryReportData\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"id": "CVE-2022-50592",
"lastModified": "2025-11-24T18:54:19.717",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-11-06T20:15:37.373",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-getinventoryreportdata-parameter-sql-injection-information-disclosure/"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-getinventoryreportdata-parameter-sqli-rce"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
},
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-50594
Vulnerability from fkie_nvd - Published: 2025-11-06 20:15 - Updated: 2025-11-24 18:18
Severity ?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘data’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F719357-8063-4CD2-8275-57FC01CB52A1",
"versionEndExcluding": "5.7.04.6425",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018data\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"id": "CVE-2022-50594",
"lastModified": "2025-11-24T18:18:59.527",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-11-06T20:15:37.773",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-page_action_service-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-data-parameter-sqli-information-disclosure"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
},
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-50591
Vulnerability from fkie_nvd - Published: 2025-11-06 20:15 - Updated: 2025-11-24 18:55
Severity ?
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_config_id’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8F719357-8063-4CD2-8275-57FC01CB52A1",
"versionEndExcluding": "5.7.04.6425",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_config_id\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"id": "CVE-2022-50591",
"lastModified": "2025-11-24T18:55:56.623",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-11-06T20:15:37.173",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_config_id-parameter-sql-injection-information-disclosure-vulnerability/"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpconfigid-parameter-sqli-information-disclosure"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
},
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-53515
Vulnerability from fkie_nvd - Published: 2025-07-11 00:15 - Updated: 2025-08-01 19:13
Severity ?
Summary
A vulnerability exists in Advantech iView that allows for SQL injection
and remote code execution through NetworkServlet.archiveTrap(). This
issue requires an authenticated attacker with at least user-level
privileges. Certain input parameters are not sanitized, allowing an
attacker to perform SQL injection and potentially execute code in the
context of the 'nt authority\local service' account.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 | Product | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3E520F-CCCE-46E1-A8ED-95E10597DF43",
"versionEndExcluding": "5.7.05.7057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in Advantech iView that allows for SQL injection \nand remote code execution through NetworkServlet.archiveTrap(). This \nissue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not sanitized, allowing an \nattacker to perform SQL injection and potentially execute code in the \ncontext of the \u0027nt authority\\local service\u0027 account."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en Advantech iView que permite la inyecci\u00f3n SQL y la ejecuci\u00f3n remota de c\u00f3digo mediante NetworkServlet.archiveTrap(). Este problema requiere un atacante autenticado con al menos privilegios de usuario. Ciertos par\u00e1metros de entrada no se sanean, lo que permite a un atacante realizar una inyecci\u00f3n SQL y potencialmente ejecutar c\u00f3digo en el contexto de la cuenta \u0027nt authority\\local service\u0027."
}
],
"id": "CVE-2025-53515",
"lastModified": "2025-08-01T19:13:59.507",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2025-07-11T00:15:28.547",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Product"
],
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-53519
Vulnerability from fkie_nvd - Published: 2025-07-11 00:15 - Updated: 2025-07-23 19:19
Severity ?
Summary
A vulnerability exists in Advantech iView versions prior to 5.7.05 build
7057, which could allow a reflected cross-site scripting (XSS) attack.
By manipulating specific parameters, an attacker could execute
unauthorized scripts in the user's browser, potentially leading to
information disclosure or other malicious activities.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 | Product, Release Notes | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08 | US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3E520F-CCCE-46E1-A8ED-95E10597DF43",
"versionEndExcluding": "5.7.05.7057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in Advantech iView versions prior to 5.7.05 build\n 7057, which could allow a reflected cross-site scripting (XSS) attack. \nBy manipulating specific parameters, an attacker could execute \nunauthorized scripts in the user\u0027s browser, potentially leading to \ninformation disclosure or other malicious activities."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en las versiones de Advantech iView anteriores a la 5.7.05, compilaci\u00f3n 7057, que podr\u00eda permitir un ataque de cross-site scripting (XSS) reflejado. Al manipular par\u00e1metros espec\u00edficos, un atacante podr\u00eda ejecutar secuencias de comandos no autorizadas en el navegador del usuario, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n u otras actividades maliciosas."
}
],
"id": "CVE-2025-53519",
"lastModified": "2025-07-23T19:19:55.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2025-07-11T00:15:28.750",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Product",
"Release Notes"
],
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53509
Vulnerability from fkie_nvd - Published: 2025-07-11 00:15 - Updated: 2025-08-01 19:16
Severity ?
Summary
A vulnerability exists in Advantech iView that allows for argument
injection in the NetworkServlet.restoreDatabase(). This issue requires
an authenticated attacker with at least user-level privileges. An input
parameter can be used directly in a command without proper sanitization,
allowing arbitrary arguments to be injected. This can result in
information disclosure, including sensitive database credentials.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 | Product | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3E520F-CCCE-46E1-A8ED-95E10597DF43",
"versionEndExcluding": "5.7.05.7057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in the NetworkServlet.restoreDatabase(). This issue requires \nan authenticated attacker with at least user-level privileges. An input \nparameter can be used directly in a command without proper sanitization,\n allowing arbitrary arguments to be injected. This can result in \ninformation disclosure, including sensitive database credentials."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en Advantech iView que permite la inyecci\u00f3n de argumentos en NetworkServlet.restoreDatabase(). Este problema requiere un atacante autenticado con al menos privilegios de usuario. Un par\u00e1metro de entrada puede usarse directamente en un comando sin la debida limpieza, lo que permite la inyecci\u00f3n de argumentos arbitrarios. Esto puede resultar en la divulgaci\u00f3n de informaci\u00f3n, incluyendo credenciales confidenciales de la base de datos."
}
],
"id": "CVE-2025-53509",
"lastModified": "2025-08-01T19:16:23.140",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2025-07-11T00:15:28.357",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Product"
],
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-88"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-53475
Vulnerability from fkie_nvd - Published: 2025-07-11 00:15 - Updated: 2025-07-23 19:19
Severity ?
Summary
A vulnerability exists in Advantech iView that could allow for SQL
injection and remote code execution through
NetworkServlet.getNextTrapPage(). This issue requires an authenticated
attacker with at least user-level privileges. Certain parameters in this
function are not properly sanitized, allowing an attacker to perform
SQL injection and potentially execute code in the context of the 'nt
authority\local service' account.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 | Product | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3E520F-CCCE-46E1-A8ED-95E10597DF43",
"versionEndExcluding": "5.7.05.7057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in Advantech iView that could allow for SQL \ninjection and remote code execution through \nNetworkServlet.getNextTrapPage(). This issue requires an authenticated \nattacker with at least user-level privileges. Certain parameters in this\n function are not properly sanitized, allowing an attacker to perform \nSQL injection and potentially execute code in the context of the \u0027nt \nauthority\\local service\u0027 account."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en Advantech iView que podr\u00eda permitir la inyecci\u00f3n SQL y la ejecuci\u00f3n remota de c\u00f3digo mediante NetworkServlet.getNextTrapPage(). Este problema requiere un atacante autenticado con al menos privilegios de usuario. Ciertos par\u00e1metros de esta funci\u00f3n no se depuran correctamente, lo que permite a un atacante realizar una inyecci\u00f3n SQL y potencialmente ejecutar c\u00f3digo en el contexto de la cuenta \u0027nt authority\\local service\u0027."
}
],
"id": "CVE-2025-53475",
"lastModified": "2025-07-23T19:19:37.853",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2025-07-11T00:15:27.107",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Product"
],
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53397
Vulnerability from fkie_nvd - Published: 2025-07-11 00:15 - Updated: 2025-08-01 19:19
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability exists in Advantech iView versions prior to 5.7.05 build
7057, which could allow a reflected cross-site scripting (XSS) attack.
By exploiting this flaw, an attacker could execute unauthorized scripts
in the user's browser, potentially leading to information disclosure or
other malicious activities.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 | Product | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3E520F-CCCE-46E1-A8ED-95E10597DF43",
"versionEndExcluding": "5.7.05.7057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in Advantech iView versions prior to 5.7.05 build\n 7057, which could allow a reflected cross-site scripting (XSS) attack. \nBy exploiting this flaw, an attacker could execute unauthorized scripts \nin the user\u0027s browser, potentially leading to information disclosure or \nother malicious activities."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en las versiones de Advantech iView anteriores a la 5.7.05, compilaci\u00f3n 7057, que podr\u00eda permitir un ataque de cross-site scripting (XSS) reflejado. Al explotar esta vulnerabilidad, un atacante podr\u00eda ejecutar scripts no autorizados en el navegador del usuario, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n u otras actividades maliciosas."
}
],
"id": "CVE-2025-53397",
"lastModified": "2025-08-01T19:19:25.320",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2025-07-11T00:15:26.763",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Product"
],
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-52577
Vulnerability from fkie_nvd - Published: 2025-07-11 00:15 - Updated: 2025-07-23 19:20
Severity ?
Summary
A vulnerability exists in Advantech iView that could allow SQL injection
and remote code execution through NetworkServlet.archiveTrapRange().
This issue requires an authenticated attacker with at least user-level
privileges. Certain input parameters are not properly sanitized,
allowing an attacker to perform SQL injection and potentially execute
code in the context of the 'nt authority\local service' account.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 | Product | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3E520F-CCCE-46E1-A8ED-95E10597DF43",
"versionEndExcluding": "5.7.05.7057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in Advantech iView that could allow SQL injection\n and remote code execution through NetworkServlet.archiveTrapRange(). \nThis issue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not properly sanitized, \nallowing an attacker to perform SQL injection and potentially execute \ncode in the context of the \u0027nt authority\\local service\u0027 account."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en Advantech iView que podr\u00eda permitir la inyecci\u00f3n SQL y la ejecuci\u00f3n remota de c\u00f3digo mediante NetworkServlet.archiveTrapRange(). Este problema requiere un atacante autenticado con al menos privilegios de usuario. Ciertos par\u00e1metros de entrada no se desinfectan correctamente, lo que permite a un atacante realizar una inyecci\u00f3n SQL y potencialmente ejecutar c\u00f3digo en el contexto de la cuenta \u0027nt authority\\local service\u0027."
}
],
"id": "CVE-2025-52577",
"lastModified": "2025-07-23T19:20:13.513",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2025-07-11T00:15:26.430",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Product"
],
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-46704
Vulnerability from fkie_nvd - Published: 2025-07-11 00:15 - Updated: 2025-07-23 19:20
Severity ?
Summary
A vulnerability exists in Advantech iView in
NetworkServlet.processImportRequest() that could allow for a directory
traversal attack. This issue requires an authenticated attacker with at
least user-level privileges. A specific parameter is not properly
sanitized or normalized, potentially allowing an attacker to determine
the existence of arbitrary files on the server.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 | Product | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3E520F-CCCE-46E1-A8ED-95E10597DF43",
"versionEndExcluding": "5.7.05.7057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in Advantech iView in \nNetworkServlet.processImportRequest() that could allow for a directory \ntraversal attack. This issue requires an authenticated attacker with at \nleast user-level privileges. A specific parameter is not properly \nsanitized or normalized, potentially allowing an attacker to determine \nthe existence of arbitrary files on the server."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en Advantech iView en NetworkServlet.processImportRequest() que podr\u00eda permitir un ataque de salto de directorio. Este problema requiere un atacante autenticado con al menos privilegios de usuario. Un par\u00e1metro espec\u00edfico no est\u00e1 correctamente depurado ni normalizado, lo que podr\u00eda permitir que un atacante determine la existencia de archivos arbitrarios en el servidor."
}
],
"id": "CVE-2025-46704",
"lastModified": "2025-07-23T19:20:26.673",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2025-07-11T00:15:25.583",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Product"
],
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-48891
Vulnerability from fkie_nvd - Published: 2025-07-11 00:15 - Updated: 2025-07-23 19:20
Severity ?
Summary
A vulnerability exists in Advantech iView that could allow for SQL
injection through the CUtils.checkSQLInjection() function. This
vulnerability can be exploited by an authenticated attacker with at
least user-level privileges, potentially leading to information
disclosure or a denial-of-service condition.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 | Product | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3E520F-CCCE-46E1-A8ED-95E10597DF43",
"versionEndExcluding": "5.7.05.7057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in Advantech iView that could allow for SQL \ninjection through the CUtils.checkSQLInjection() function. This \nvulnerability can be exploited by an authenticated attacker with at \nleast user-level privileges, potentially leading to information \ndisclosure or a denial-of-service condition."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en Advantech iView que podr\u00eda permitir la inyecci\u00f3n de SQL mediante la funci\u00f3n CUtils.checkSQLInjection(). Esta vulnerabilidad puede ser explotada por un atacante autenticado con al menos privilegios de usuario, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n o una denegaci\u00f3n de servicio."
}
],
"id": "CVE-2025-48891",
"lastModified": "2025-07-23T19:20:18.673",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2025-07-11T00:15:25.920",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Product"
],
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-41442
Vulnerability from fkie_nvd - Published: 2025-07-11 00:15 - Updated: 2025-07-23 19:20
Severity ?
Summary
A vulnerability exists in Advantech iView versions prior to 5.7.05 build
7057, which could allow a reflected cross-site scripting (XSS) attack.
By manipulating certain input parameters, an attacker could execute
unauthorized scripts in the user's browser, potentially leading to
information disclosure or other malicious activities.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183 | Product | |
| ics-cert@hq.dhs.gov | https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3E520F-CCCE-46E1-A8ED-95E10597DF43",
"versionEndExcluding": "5.7.05.7057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in Advantech iView versions prior to 5.7.05 build\n 7057, which could allow a reflected cross-site scripting (XSS) attack. \nBy manipulating certain input parameters, an attacker could execute \nunauthorized scripts in the user\u0027s browser, potentially leading to \ninformation disclosure or other malicious activities."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad en las versiones de Advantech iView anteriores a la 5.7.05, compilaci\u00f3n 7057, que podr\u00eda permitir un ataque de cross-site scripting (XSS) reflejado. Al manipular ciertos par\u00e1metros de entrada, un atacante podr\u00eda ejecutar secuencias de comandos no autorizadas en el navegador del usuario, lo que podr\u00eda provocar la divulgaci\u00f3n de informaci\u00f3n u otras actividades maliciosas."
}
],
"id": "CVE-2025-41442",
"lastModified": "2025-07-23T19:20:42.243",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
},
"published": "2025-07-11T00:15:24.347",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Product"
],
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}