Critical Vulnerability in Advantech Products

Background

Advantech has released security updates addressing a critical vulnerability (CVE-2025-52694) in their products. The vulnerability has a Common Vulnerability Scoring System (CVSS 3.1) score of 10 out of 10.

Impact

Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet.

Affected Products

The vulnerability affects the following Advantech products:

• SaaSComposer prior to version 3.4.15

• IoTSuite Growth Linux docker prior to version V2.0.2

• IoTSuite Starter Linux docker prior to version V2.0.2

• IoT Edge Linux docker prior to version V2.0.2

• IoT Edge Windows prior to version V2.0.2

• WebAccess/SCADA prior to version V9.2.2

• WebAccess SaaS-Composer prior to version 3.4.15.1

• ECOWatch SaaS-Composer prior to version 3.4.15

Mitigation

Users and administrators of affected product versions are advised to update to the latest versions immediately.

For SaaSComposer, IoTSuite Growth Linux docker, IoT Edge Windows, and ECOWatch please contact Advantech here for the official release of the fixed version.

For IoTSuite Starter Linux docker, please refer to the update guide here. As the update involves a reinstallation process, please refer to the reinstallation guide here.

For IoT Edge Linux docker, please refer to the update guide here. As the update involves a reinstallation process, please refer to the reinstallation guide here.

For WebAccess/SCADA and WebAccess SaaS-Composer, please refer to the update guide here.

Credits

CSA would like to express our appreciation to Mr Loi Nguyen Thang from HCMUTE Information Security Club for discovering the vulnerability and thank Advantech for their collaboration on the coordinated disclosure of the vulnerability.

References

https://www.advantech.com/en/security-advisory