CVE-2025-52694
published 2026-01-12CVE-2025-52694: Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
37.87%
98.4th percentile
Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet, potentially affecting data confidentiality, integrity, and availability. Users and administrators of affected product versions are advised to update to the latest versions immediately.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | iot_edge_linux_docker | < 2.0.2 | 2.0.2 |
| advantech | iot_edge_windows | < 2.0.2 | 2.0.2 |
| advantech | iotsuite_and_iot_edge_products | — | — |
| advantech | iotsuite_and_iot_edge_products | — | — |
| advantech | iotsuite_and_iot_edge_products | — | — |
| advantech | iotsuite_and_iot_edge_products | — | — |
| advantech | iotsuite_and_iot_edge_products | — | — |
| advantech | iotsuite_and_iot_edge_products | — | — |
| advantech | iotsuite_and_iot_edge_products | — | — |
| advantech | iotsuite_and_iot_edge_products | — | — |
| advantech | iotsuite_growth_linux_docker | < 2.0.2 | 2.0.2 |
| advantech | iotsuite_saas_composer | < 3.4.15 | 3.4.15 |
| advantech | iotsuite_starter_linux_docker | < 2.0.2 | 2.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP GET requests to paths matching /displays/*.json containing SQL metacharacters (single-quote, double-dash) and PostgreSQL time-delay payloads (pg_sleep) in the URL path or query string. ↗
- →Fingerprint exposed instances by checking HTTP response body for the string 'SaaS Composer' — this confirms the vulnerable Advantech WISE-IoTSuite/SaaS Composer interface is reachable. ↗
- →Time-based blind SQLi confirmation: a successful exploit produces HTTP 200 with a response duration >= 6 seconds due to pg_sleep(6) execution in the backend PostgreSQL database. ↗
- →The vulnerable injection point is the `filename` parameter within the URL path; monitor for URL-encoded or literal SQL syntax injected into path segments of /displays/ endpoints. ↗
- →The attack is unauthenticated and exploitable remotely; no session cookie or authentication header is required. Prioritize perimeter detection for any internet-exposed SaaS Composer instances. ↗
- ·The Nuclei template uses a clusterbomb attack iterating org_id values 1–5; detection rules should account for multiple rapid sequential requests to the same /displays/*.json path with varying org_id values from a single source IP. ↗
- ·Impact severity depends on the privileges of the PostgreSQL database user; if the DB user has superuser or COPY TO/FROM PROGRAM privileges, exploitation can escalate to Remote Code Execution. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Advantech WISE-IoTSuite/SaaS - SQL Injection
nuclei·CVSS 9.8
CVE-2025-52694 [CRITICAL] Advantech WISE-IoTSuite/SaaS - SQL Injection
Advantech WISE-IoTSuite/SaaS - SQL Injection
Advantech WISE-IoTSuite/SaaS Composer suffers from an unauthenticated SQL Injection vulnerability due to the unsafe use of the `filename` parameter within the URL path in PostgreSQL queries. Remote attackers can exploit this flaw by injecting SQL code (such as the use of `pg_sleep` for time delays) to verify the vulnerability, and may gain further impact such as Remote Code Execution (RCE) depending on the privileges granted to the database user.
Template:
id: CVE-2025-52694
info:
name: Advantech WISE-IoTSuite/SaaS - SQL Injection
author: Loi Nguyen Thang
severity: critical
description: |
Advantech WISE-IoTSuite/SaaS Composer suffers from an unauthenticated SQL Injection vulnerability due to the unsafe use of the `filename` parameter within
No writeups or analysis indexed.
2026-01-12
Published