CVE 8.6 HIGH

Advantech WebAccess/VPN < 1.1.5 SQL Injection via AppManagementController.appUpgradeAction()_CVE-2025-34240

November 6, 2025 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

AI Analysis

SQL injection vulnerability in AppManagementController.appUpgradeAction() allowing disclosure of database information

Basic Information

ID CVE-2025-34240

Source VulnCheck

Published Nov 6, 2025 at 19:45

Affected Product

Vendor Advantech

Product WebAccess/VPN

Affected Versions Advantech WebAccess/VPN 0

CWE Classification

CWE-89

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Advantech

Product WebAccess/VPN

Version < 1.1.5

References

{
    "lastseen": "",
    "description": "Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in\u00a0AppManagementController.appUpgradeAction()\u00a0that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.",
    "published": "2025-11-06T19:45:02.692Z",
    "modified": "2025-11-06T19:45:02.692Z",
    "type": "cve",
    "title": "Advantech WebAccess/VPN < 1.1.5 SQL Injection via AppManagementController.appUpgradeAction()",
    "source": "VulnCheck",
    "references": "https://icr.advantech.com/support/router-models/download/511/sa-2025-01-vpn-2025-11-06.pdf\nhttps://www.vulncheck.com/advisories/advantech-webaccess-vpn-sqli-via-appmanagementcontroller-appupgradeaction\nhttps://icr.advantech.com/download/software",
    "id": "CVE-2025-34240",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "Advantech WebAccess/VPN 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WebAccess/VPN",
    "version": "0",
    "vendor": "Advantech",
    "ai_description": "SQL injection vulnerability in AppManagementController.appUpgradeAction() allowing disclosure of database information",
    "ai_severity": "High",
    "ai_vendor": "Advantech",
    "ai_product": "WebAccess/VPN",
    "ai_version": "< 1.1.5",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply