SQL Injection Vulnerability in Advantech WebAccess/VPN Affects Multiple Versions
CVE-2025-34243

5.3MEDIUM

Key Information:

Vendor

Advantech
Status
Webaccess/vpn
Vendor
CVE Published:
6 November 2025

What is CVE-2025-34243?

The Advantech WebAccess/VPN application is impacted by a SQL injection vulnerability stemming from improper validation within the AjaxFwRulesController.ajaxNetworkFwRulesAction() function. This vulnerability allows a low-privileged authenticated user to manipulate datatable search parameters, potentially disclosing sensitive database information. It is crucial for users to update to version 1.1.5 or higher to mitigate this risk.

Affected Version(s)

WebAccess/VPN 0 < 1.1.5

References

https://icr.advantech.com/support/router-models/download/...
vendor-advisorypatch
https://www.vulncheck.com/advisories/advantech-webaccess-...
third-party-advisory
https://icr.advantech.com/download/software
product

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams from Pellera Technologies
JSON
.
CVE-2025-34243 : SQL Injection Vulnerability in Advantech WebAccess/VPN Affects Multiple Versions