SQL Injection Vulnerability in Advantech WebAccess/VPN Software
CVE-2025-34246

5.3MEDIUM

Key Information:

Vendor

Advantech
Status
Webaccess/vpn
Vendor
CVE Published:
6 November 2025

What is CVE-2025-34246?

The Advantech WebAccess/VPN software prior to version 1.1.5 is susceptible to a SQL injection vulnerability in the AjaxPrevalidationController.ajaxAction() method. This flaw enables an authenticated low-privileged observer user to manipulate SQL queries through datatable search parameters, potentially exposing sensitive database information. Organizations using affected versions should evaluate the risk and apply the necessary patches to mitigate this vulnerability.

Affected Version(s)

WebAccess/VPN 0 < 1.1.5

References

https://icr.advantech.com/support/router-models/download/...
vendor-advisorypatch
https://www.vulncheck.com/advisories/advantech-webaccess-...
third-party-advisory
https://icr.advantech.com/download/software
product

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams from Pellera Technologies
JSON
.
CVE-2025-34246 : SQL Injection Vulnerability in Advantech WebAccess/VPN Software