SQL Injection Vulnerability in Advantech WebAccess/VPN Software
CVE-2025-34240

8.6HIGH

Key Information:

Vendor

Advantech
Status
Webaccess/vpn
Vendor
CVE Published:
6 November 2025

What is CVE-2025-34240?

A SQL injection flaw in Advantech's WebAccess/VPN software affects versions prior to 1.1.5, specifically in the AppManagementController.appUpgradeAction() function. This vulnerability allows low-privileged authenticated users to execute SQL injection attacks through datatable search parameters, which may lead to the unintended disclosure of sensitive database information. Organizations using affected versions are advised to apply the necessary patches to secure their systems.

Affected Version(s)

WebAccess/VPN 0 < 1.1.5

References

https://icr.advantech.com/support/router-models/download/...
vendor-advisorypatch
https://www.vulncheck.com/advisories/advantech-webaccess-...
third-party-advisory
https://icr.advantech.com/download/software
product

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams from Pellera Technologies
JSON
.
CVE-2025-34240 : SQL Injection Vulnerability in Advantech WebAccess/VPN Software