Home

Description

A vulnerability exists in Advantech iView that could allow SQL injection and remote code execution through NetworkServlet.archiveTrapRange(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account.

PUBLISHED Reserved 2025-07-02 | Published 2025-07-10 | Updated 2025-07-11 | Assigner icscert




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89

Product status

Default status
unaffected

Any version before 5.7.05 build 7057
affected

Credits

Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-25-191-08

www.advantech.com/en/support/details/firmware-?id=1-HIPU-183

cve.org (CVE-2025-52577)

nvd.nist.gov (CVE-2025-52577)

Download JSON