cbcvebase.
CVE-2025-52694
published 2026-01-12

CVE-2025-52694: Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
37.87%
98.4th percentile
Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet, potentially affecting data confidentiality, integrity, and availability. Users and administrators of affected product versions are advised to update to the latest versions immediately.

Affected

13 ranges
VendorProductVersion rangeFixed in
advantechiot_edge_linux_docker< 2.0.22.0.2
advantechiot_edge_windows< 2.0.22.0.2
advantechiotsuite_and_iot_edge_products
advantechiotsuite_and_iot_edge_products
advantechiotsuite_and_iot_edge_products
advantechiotsuite_and_iot_edge_products
advantechiotsuite_and_iot_edge_products
advantechiotsuite_and_iot_edge_products
advantechiotsuite_and_iot_edge_products
advantechiotsuite_and_iot_edge_products
advantechiotsuite_growth_linux_docker< 2.0.22.0.2
advantechiotsuite_saas_composer< 3.4.153.4.15
advantechiotsuite_starter_linux_docker< 2.0.22.0.2

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/displays/nuclei_check.json'; select pg_sleep(6) --?org_id={{org_id}}
path/displays/nuclei_check.json
commandselect pg_sleep(6) --
othershodan:title:"SaaS Composer"
otherfofa:title="SaaS Composer"
  • Detect exploitation attempts by monitoring HTTP GET requests to paths matching /displays/*.json containing SQL metacharacters (single-quote, double-dash) and PostgreSQL time-delay payloads (pg_sleep) in the URL path or query string.
  • Fingerprint exposed instances by checking HTTP response body for the string 'SaaS Composer' — this confirms the vulnerable Advantech WISE-IoTSuite/SaaS Composer interface is reachable.
  • Time-based blind SQLi confirmation: a successful exploit produces HTTP 200 with a response duration >= 6 seconds due to pg_sleep(6) execution in the backend PostgreSQL database.
  • The vulnerable injection point is the `filename` parameter within the URL path; monitor for URL-encoded or literal SQL syntax injected into path segments of /displays/ endpoints.
  • The attack is unauthenticated and exploitable remotely; no session cookie or authentication header is required. Prioritize perimeter detection for any internet-exposed SaaS Composer instances.
  • ·The Nuclei template uses a clusterbomb attack iterating org_id values 1–5; detection rules should account for multiple rapid sequential requests to the same /displays/*.json path with varying org_id values from a single source IP.
  • ·Impact severity depends on the privileges of the PostgreSQL database user; if the DB user has superuser or COPY TO/FROM PROGRAM privileges, exploitation can escalate to Remote Code Execution.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.