CVE-2025-34242— Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxNetworkController.ajaxAction()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-34242
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxNetworkController.ajaxAction()
Source: NVD (National Vulnerability Database)
Vulnerability Description
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Advantech WebAccess/VPN 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Advantech WebAccess/VPN是中国台湾研华(Advantech)公司的一款高级网络安全平台。 Advantech WebAccess/VPN 1.1.5之前版本存在安全漏洞,该漏洞源于AjaxNetworkController.ajaxAction函数未正确过滤datatable搜索参数,可能导致SQL注入攻击和数据泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Advantech | WebAccess/VPN | 0 ~ 1.1.5 | - |
II. Public POCs for CVE-2025-34242
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-34242
请登录查看更多情报信息。
Same Patch Batch · Advantech · 2025-11-06 · 21 CVEs total
| CVE-2025-62630 | 8.8 HIGH | Advantech DeviceOn/iEdge Path Traversal |
| CVE-2025-58423 | 8.8 HIGH | Advantech DeviceOn/iEdge Path Traversal |
| CVE-2025-59171 | 7.5 HIGH | Advantech DeviceOn/iEdge Path Traversal |
| CVE-2025-64302 | 6.4 MEDIUM | Advantech DeviceOn/iEdge Cross-site Scripting |
| CVE-2025-34243 | Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxFwRulesController.ajaxNetworkFwRules | |
| CVE-2025-34240 | Advantech WebAccess/VPN < 1.1.5 SQL Injection via AppManagementController.appUpgradeAction | |
| CVE-2025-34238 | Advantech WebAccess/VPN < 1.1.5 Path Traversal via AjaxStandaloneVpnClientsController.ajax | |
| CVE-2025-34236 | Advantech WebAccess/VPN < 1.1.5 Stored XSS via NetworksController.addNetworkAction() | |
| CVE-2025-34247 | Advantech WebAccess/VPN < 1.1.5 SQL Injection via NetworksController.addNetworkAction() | |
| CVE-2025-34239 | Advantech WebAccess/VPN < 1.1.5 Command Injection in AppManagementController.appUpgradeAct | |
| CVE-2025-34244 | Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxFwRulesController.ajaxDeviceFwRulesA | |
| CVE-2025-34237 | Advantech WebAccess/VPN < 1.1.5 Stored XSS via StandaloneVpnClientsController.addStandalon | |
| CVE-2022-50593 | Advantech iView < v5.7.04 Build 6425 search_term Parameter SQL Injection RCE | |
| CVE-2025-34246 | Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxPrevalidationController.ajaxAction() | |
| CVE-2025-34241 | Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxDeviceController.ajaxDeviceAction() | |
| CVE-2025-34245 | Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxStandaloneVpnClientsController.ajaxA | |
| CVE-2022-50595 | Advantech iView < v5.7.04 Build 6425 ztp_search_value Parameter SQL Injection RCE | |
| CVE-2022-50591 | Advantech iView < v5.7.04 Build 6425 ztp_config_id Parameter SQL Injection Information Dis | |
| CVE-2022-50594 | Advantech iView < v5.7.04 Build 6425 data Parameter SQL Injection Information Disclosure | |
| CVE-2022-50592 | Advantech iView < v5.7.04 Build 6425 getInventoryReportData Parameter SQL Injection RCE |
IV. Related Vulnerabilities
Same product: WebAccess/VPN
- CVE-2025-34247
Advantech WebAccess/VPN < 1.1.5 SQL Injection via NetworksCo - CVE-2025-34246
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxPreval - CVE-2025-34245
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxStanda - CVE-2025-34244
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxFwRule - CVE-2025-34243
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxFwRule
Same vendor: Advantech
Same weakness: CWE-89
- CVE-2021-47941
WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss - CVE-2021-47930
Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthentic - CVE-2021-47928
Opencart TMD Vendor System 3.x Blind SQL Injection via produ - CVE-2026-8231
CodeAstro Online Catering Ordering System deleteorder.php sq - CVE-2025-14179
SQL injection in pdo_firebird via NUL bytes in quoted string
V. Comments for CVE-2025-34242
No comments yet