Advantech Advantech System Integration services HW/SW

  1. Vendors
  2. Advantech

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Advantech product.

RSS Feeds for Advantech security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Advantech products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Advantech Sorted by Most Security Vulnerabilities since 2018

Advantech Webaccess88 vulnerabilities

Advantech Iview33 vulnerabilities

Advantech Webaccessscada28 vulnerabilities

Advantech Webaccess Scada17 vulnerabilities

Advantech Webaccessvpn12 vulnerabilities

Advantech Deviceon Iedge4 vulnerabilities

Advantech Adam 5630 Firmware3 vulnerabilities

Advantech Adam 5550 Firmware2 vulnerabilities

Advantech Adam 60511 vulnerability

Advantech Adam 60151 vulnerability

Advantech Adam 60171 vulnerability

Advantech Adam 60181 vulnerability

Advantech Adam 60221 vulnerability

Advantech Adam 60241 vulnerability

Advantech Adam 60501 vulnerability

Advantech Adam 6050w1 vulnerability

Advantech Adam 60661 vulnerability

Advantech Adam 6051w1 vulnerability

Advantech Adam 60521 vulnerability

Advantech Adam 60601 vulnerability

Advantech Adam 6060w1 vulnerability

Advantech Adam 65011 vulnerability

By the Year

In 2026 there have been 2 vulnerabilities in Advantech with an average score of 8.6 out of ten. Last year, in 2025 Advantech had 38 security vulnerabilities published. Right now, Advantech is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.54.




Year Vulnerabilities Average Score
2026 2 8.60
2025 38 7.06
2024 7 7.10
2023 10 8.84
2022 15 7.90
2021 62 7.32
2020 28 8.45
2019 31 9.23
2018 28 7.18

It may take a day or so for new Advantech vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Advantech Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-2670 Feb 18, 2026
OS Command Injection Advantech WISE-6610 1.2.1_20251110 openvpn_apply A vulnerability was identified in Advantech WISE-6610 1.2.1_20251110. Affected is an unknown function of the file /cgi-bin/luci/admin/openvpn_apply of the component Background Management. Such manipulation of the argument delete_file leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-52694 Jan 12, 2026
SQLi Remote Exec in Unknown Web Service Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet, potentially affecting data confidentiality, integrity, and availability. Users and administrators of affected product versions are advised to update to the latest versions immediately.
CVE-2025-67653 Dec 18, 2025
Advantech WebAccess/SCADA Directory Traversal (CVE-2025-67653) Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files.
Webaccessscada
Webaccess Scada
CVE-2025-46268 Dec 18, 2025
SQLi in Advantech WebAccess/SCADA Advantech WebAccess/SCADA  is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands.
Webaccessscada
CVE-2025-14848 Dec 18, 2025
Advantech WebAccess/SCADA Abs Dir Traversal Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files.
Webaccessscada
Webaccess
CVE-2025-14849 Dec 18, 2025
Advantech WebAccess SCADA Unrestricted File Upload Allowing Remote Code Exec Advantech WebAccess/SCADA  is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code.
Webaccessscada
Webaccess Scada
CVE-2025-14850 Dec 18, 2025
Dir Traversal in Advantech WebAccess/SCADA Allows Arbitrary File Deletion Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files.
Webaccessscada
Webaccess Scada
CVE-2025-14252 Dec 16, 2025
Priv Esc in Advantech SUSI Driver 5.0.24335 via Improper Access An Improper Access Control vulnerability in Advantech SUSI driver (susi.sys) allows attackers to read/write arbitrary memory, I/O ports, and MSRs, resulting in privilege escalation, arbitrary code execution, and information disclosure. This issue affects Advantech SUSI: 5.0.24335 and prior.
CVE-2025-13373 Dec 04, 2025
Advantech iView <=5.7.05.7057 SQL injection via SNMP v1 trap (Port 162) Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.
Iview
CVE-2025-58423 Nov 06, 2025
Insufficient Sanitization in File Upload Enables Path Traversal, File Access and DOS (CVE-2025-58423 Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to cause a denial-of-service condition, traverse directories, or read/write files, within the context of the local system account.
Deviceon Iedge
CVE-2025-59171 Nov 06, 2025
RCE via Unsanitized Config File Upload and Directory Traversal Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions.
Deviceon Iedge
CVE-2025-62630 Nov 06, 2025
Unsanitized Config File Upload Enables Directory Traversal RCE Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions.
Deviceon Iedge
CVE-2025-64302 Nov 06, 2025
CVE-2025-64302: Dashboard Label/Path Injection Causing Device Error Insufficient input sanitization in the dashboard label or path can allow an attacker to trigger a device error causing information disclosure or data manipulation.
Deviceon Iedge
CVE-2022-50595 Nov 06, 2025
Advantech iView <=5.7.04 SNMP Auth Bypass + SQLi RCE Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ztp_search_value parameter to the NetworkServlet endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Iview
CVE-2022-50591 Nov 06, 2025
Advantech iView <5.7.04 SQL injection via SNMP Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ztp_config_id parameter to the NetworkServlet endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Iview
CVE-2022-50593 Nov 06, 2025
Advantech iView <5.7.04: SNMP Auth Bypass + SQLi RCE Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the search_term parameter to the NetworkServlet endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Iview
CVE-2022-50592 Nov 06, 2025
Advantech iView before v5.7.04: SNMP Auth Bypass + SQLi RCE Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the getInventoryReportData parameter to the NetworkServlet endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Iview
CVE-2022-50594 Nov 06, 2025
Advantech iView <=5.7.04 SNMP Auth Bypass + SQLi in NetworkServlet Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the data parameter to the NetworkServlet endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Iview
CVE-2025-34247 Nov 06, 2025
Advantech WebAccess VPN 1.1.5 SQLi via NetworksController.addNetworkAction() Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in NetworksController.addNetworkAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
Webaccess
Webaccessvpn
CVE-2025-34246 Nov 06, 2025
Advantech WebAccess/VPN <1.1.5: SQLi via AjaxPrevalidationController Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxPrevalidationController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
Webaccess
Webaccessvpn
CVE-2025-34245 Nov 06, 2025
Advantech WebAccess/VPN SQLi prior to 1.1.5 via AjaxStandaloneVpnClientsController Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxStandaloneVpnClientsController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
Webaccess
Webaccessvpn
CVE-2025-34244 Nov 06, 2025
SQLi in Advantech WebAccess/VPN <1.1.5 via AjaxFwRulesController Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxDeviceFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
Webaccess
Webaccessvpn
CVE-2025-34243 Nov 06, 2025
SQLi in Advantech WebAccess/VPN <1.1.5 via AjaxFwRulesController Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxNetworkFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
Webaccess
Webaccessvpn
CVE-2025-34242 Nov 06, 2025
Advantech WebAccess/VPN <=1.1.4: Auth observer SQLi via AjaxNetworkController Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
Webaccess
Webaccessvpn
CVE-2025-34241 Nov 06, 2025
Advantech WebAccess/VPN <=1.1.4: SQLi in AjaxDeviceController Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
Webaccess
Webaccessvpn
CVE-2025-34240 Nov 06, 2025
SQLi via AuthObs in Advantech WebAcc/VPN <1.1.5 AppMgmtCtrl.appUpgradeAction() Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
Webaccess
Webaccessvpn
CVE-2025-34239 Nov 06, 2025
Advantech WebAccess/VPN <1.1.5: Auth Cmd Injection via AppMgmtCtrl Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated system administrator to execute arbitrary commands as the web server user (www-data) by supplying a crafted uploaded filename.
Webaccess
Webaccessvpn
CVE-2025-34238 Nov 06, 2025
Advantech WebAccess/VPN <1.1.5: Authenticated Path Traversal Exploit Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction() that allows an authenticated network administrator to cause the application to read and return the contents of arbitrary files the web user (www-data) can access.
Webaccess
Webaccessvpn
CVE-2025-34237 Nov 06, 2025
Advantech WebAccess/VPN <1.1.5 XSS via addStandaloneVpnClientAction() Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via StandaloneVpnClientsController.addStandaloneVpnClientAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
Webaccess
Webaccessvpn
CVE-2025-34236 Nov 06, 2025
Advantech WebAccess/VPN <1.1.5 XSS via NetworksController.addNetworkAction() Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.
Webaccess
Webaccessvpn
CVE-2025-52459 Jul 11, 2025
Advantech iView Argument Injection in NetworkServlet via Unsanitized Parameters A vulnerability exists in Advantech iView that allows for argument injection in NetworkServlet.backupDatabase(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials.
Iview
CVE-2025-53397 Jul 11, 2025
Advantech iView <5.7.05 build7057 Reflected XSS in Web UI A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By exploiting this flaw, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities.
Iview
CVE-2025-53509 Jul 11, 2025
Advantech iView NetworkServlet Arg Injection Enables Credential Exposure A vulnerability exists in Advantech iView that allows for argument injection in the NetworkServlet.restoreDatabase(). This issue requires an authenticated attacker with at least user-level privileges. An input parameter can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials.
Iview
CVE-2025-53515 Jul 11, 2025
SQLi & RCE via NetworkServlet.archiveTrap() in Advantech iView A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account.
Iview
CVE-2025-41442 Jul 11, 2025
Advantech iView Reflected XSS before 5.7.05b7057 A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating certain input parameters, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities.
Iview
CVE-2025-46704 Jul 11, 2025
Directory Traversal in Advantech iView via NetworkServlet.processImportRequest A vulnerability exists in Advantech iView in NetworkServlet.processImportRequest() that could allow for a directory traversal attack. This issue requires an authenticated attacker with at least user-level privileges. A specific parameter is not properly sanitized or normalized, potentially allowing an attacker to determine the existence of arbitrary files on the server.
Iview
CVE-2025-48891 Jul 11, 2025
SQLi in Advantech iView via CUtils.checkSQLInjection A vulnerability exists in Advantech iView that could allow for SQL injection through the CUtils.checkSQLInjection() function. This vulnerability can be exploited by an authenticated attacker with at least user-level privileges, potentially leading to information disclosure or a denial-of-service condition.
Iview
CVE-2025-52577 Jul 11, 2025
Advantech iView SQLi & RCE via NetworkServlet.archiveTrapRange() A vulnerability exists in Advantech iView that could allow SQL injection and remote code execution through NetworkServlet.archiveTrapRange(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account.
Iview
CVE-2025-53475 Jul 11, 2025
Advantech iView SQLi & RCE via NetworkServlet.getNextTrapPage() A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters in this function are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account.
Iview
CVE-2025-53519 Jul 11, 2025
Advantech iView <5.7.05 XSS Reflected Exploit A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating specific parameters, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities.
Iview
CVE-2023-52335 Nov 22, 2024
Advantech iView ConfigurationServlet SQL Injection Causing Credential Disclosure Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863.
Iview
CVE-2024-28948 Sep 27, 2024
Advantech ADAM-5630 CSRF Vulnerability Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
Adam 5630 Firmware
CVE-2024-39275 Sep 27, 2024
Advantech ADAM5630 Persistent Cookie SessionFixation Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user.
Adam 5630 Firmware
CVE-2024-38308 Sep 27, 2024
Advantech ADAM 5550 XSS in Logs Page Advantech ADAM 5550's web application includes a "logs" page where all the HTTP requests received are displayed to the user. The device doesn't correctly neutralize malicious code when parsing HTTP requests to generate page output.
Adam 5550 Firmware
CVE-2024-34542 Sep 27, 2024
Advantech ADAM-5630 Plain Text Credential Leak CVE-2024-34542 Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.
Adam 5630 Firmware
CVE-2024-37187 Sep 27, 2024
Advantech ADAM-5550 insecure Base64 credential storage (CVE-2024-37187) Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.
Adam 5550 Firmware
CVE-2024-2453 Mar 21, 2024
Authenticated SQLi in Advantech WebAccess/SCADA DB There is an SQL injection vulnerability in Advantech WebAccess/SCADA software that allows an authenticated attacker to remotely inject SQL code in the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database.
Webaccess Scada
CVE-2023-5642 Oct 18, 2023
Advantech R-SeeNet pre2.4.23 Unauth R/W to snmpmon.ini Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attacker to read from and write to the snmpmon.ini file, which contains sensitive information.
R Seenet
CVE-2023-4215 Oct 17, 2023
Advantech WebAccess 9.1.3 Information Disclosure of Credentials Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.
Webaccess
CVE-2023-1437 Aug 02, 2023
Advantech WebAccess/SCADA RPC Untrusted Pointer RCE v<=9.1.4 All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files.
Webaccessscada
Webaccess Scada
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.