SQL Injection Vulnerability in Advantech WebAccess/VPN by Advantech
CVE-2025-34242

8.6HIGH

Key Information:

Vendor

Advantech
Status
Webaccess/vpn
Vendor
CVE Published:
6 November 2025

What is CVE-2025-34242?

Advantech WebAccess/VPN versions before 1.1.5 are susceptible to an SQL injection vulnerability through AjaxNetworkController.ajaxAction(). This flaw enables authenticated low-privileged users to manipulate SQL statements via datatable search parameters, potentially compromising sensitive database information. The vulnerability emphasizes the need for proper input validation to prevent unauthorized data exposure.

Affected Version(s)

WebAccess/VPN 0 < 1.1.5

References

https://icr.advantech.com/support/router-models/download/...
vendor-advisorypatch
https://www.vulncheck.com/advisories/advantech-webaccess-...
third-party-advisory
https://icr.advantech.com/download/software
product

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams from Pellera Technologies
JSON
.
CVE-2025-34242 : SQL Injection Vulnerability in Advantech WebAccess/VPN by Advantech