CVE-2025-52694 PUBLISHED

Execution of arbitrary SQL commands

Assigner: CSA
Reserved: 19.06.2025 Published: 12.01.2026 Updated: 26.01.2026

Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet, potentially affecting data confidentiality, integrity, and availability. Users and administrators of affected product versions are advised to update to the latest versions immediately.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Product Status

Vendor Advantech
Product IoTSuite and IoT Edge Products
Versions Default: unknown
  • Version SaaSComposer prior to version V3.4.15 is affected
  • Version IoTSuite Growth Linux docker prior to version V2.0.2 is affected
  • Version IoTSuite Starter Linux docker prior to version V2.0.2 is affected
  • Version IoT Edge Linux docker prior to version V2.0.2 is affected
  • Version IoT Edge Windows prior to version V2.0.2 is affected
  • Version WebAccess/SCADA prior to version V9.2.2 is affected
  • Version WebAccess SaaS-Composer prior to version 3.4.15.1 is affected
  • Version ECOWatch SaaS-Composer prior to version 3.4.15 is affected

Solutions

Users and administrators of affected product versions are advised to update to the latest versions immediately.

For IoTSuite SaaSComposer, IoTSuite Growth Linux docker, and IoT Edge Windows please contact Advantech here https://wise-iot.advantech.com/en-tw/marketplace/help/technical-support for the official release of the fixed version.

For IoTSuite Starter Linux docker, please download the update here https://portal-kbinsight-wiseiot-ensaas.practice.cloud.advantech.com/kb/library/detail/JqNWAMGz1JQ .

For IoT Edge Linux docker, please download the update here https://portal-kbinsight-wiseiot-ensaas.practice.cloud.advantech.com/kb/library/detail/G0yWBn2mp2q .

Credits

  • Loi Nguyen Thang finder

References