Advantech Advantech System Integration services HW/SW

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Advantech product.

RSS Feeds for Advantech security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Advantech products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Advantech Sorted by Most Security Vulnerabilities since 2018

Advantech Webaccess60 vulnerabilities

Advantech R Seenet37 vulnerabilities

Advantech Webaccessscada23 vulnerabilities

Advantech Iview17 vulnerabilities

Advantech Adam 5630 Firmware3 vulnerabilities

Advantech Adam 5550 Firmware2 vulnerabilities

Advantech Adam 60511 vulnerability

Advantech Adam 60151 vulnerability

Advantech Adam 60171 vulnerability

Advantech Adam 60181 vulnerability

Advantech Adam 60221 vulnerability

Advantech Adam 60241 vulnerability

Advantech Adam 60501 vulnerability

Advantech Adam 6050w1 vulnerability

Advantech Adam 60601 vulnerability

Advantech Adam 6051w1 vulnerability

Advantech Adam 60521 vulnerability

Advantech Adam 65011 vulnerability

Advantech Adam 60661 vulnerability

Advantech Adam 6060w1 vulnerability

By the Year

In 2025 there have been 0 vulnerabilities in Advantech. Last year, in 2024 Advantech had 6 security vulnerabilities published. Right now, Advantech is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 6 7.10
2023 10 8.84
2022 15 7.90
2021 62 7.32
2020 28 8.30
2019 31 8.98
2018 28 7.88

It may take a day or so for new Advantech vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Advantech Security Vulnerabilities

Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability

CVE-2023-52335 7.5 - High - November 22, 2024

Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863.

SQL Injection

Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.

CVE-2024-34542 5.7 - Medium - September 27, 2024

Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.

Insufficiently Protected Credentials

Advantech ADAM-5550 share user credentials with a low level of encryption

CVE-2024-37187 5.7 - Medium - September 27, 2024

Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.

Insufficiently Protected Credentials

Advantech ADAM 5550's web application includes a "logs" page where all the HTTP requests received are displayed to the user

CVE-2024-38308 6.1 - Medium - September 27, 2024

Advantech ADAM 5550's web application includes a "logs" page where all the HTTP requests received are displayed to the user. The device doesn't correctly neutralize malicious code when parsing HTTP requests to generate page output.

XSS

Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a session is closed

CVE-2024-39275 8.8 - High - September 27, 2024

Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user.

Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability

CVE-2024-28948 8.8 - High - September 27, 2024

Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

Session Riding

Advantech R-SeeNet v2.4.23

CVE-2023-5642 9.8 - Critical - October 18, 2023

Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attacker to read from and write to the snmpmon.ini file, which contains sensitive information.

Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability

CVE-2023-4215 7.5 - High - October 17, 2023

Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.

Debug Messages Revealing Unnecessary Information

All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers

CVE-2023-1437 9.8 - Critical - August 02, 2023

All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files.

Untrusted Pointer Dereference

An authenticated SQL injection vulnerability exists in Advantech iView versions prior to v5.7.4 build 6752

CVE-2023-3983 8.8 - High - July 31, 2023

An authenticated SQL injection vulnerability exists in Advantech iView versions prior to v5.7.4 build 6752. An authenticated remote attacker can bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform blind SQL injection.

SQL Injection

Advantech R-SeeNet versions 2.4.22 is installed with a hidden root-level user that is not available in the users list

CVE-2023-2611 9.8 - Critical - June 22, 2023

Advantech R-SeeNet versions 2.4.22 is installed with a hidden root-level user that is not available in the users list. This hidden user has a password that cannot be changed by users.

Use of Hard-coded Credentials

Advantech R-SeeNet versions 2.4.22

CVE-2023-3256 8.1 - High - June 22, 2023

Advantech R-SeeNet versions 2.4.22 allows low-level users to access and load the content of local files.

Externally Controlled Reference to a Resource in Another Sphere

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5

CVE-2023-2866 7.8 - High - June 07, 2023

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.

Insufficient Verification of Data Authenticity

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability

CVE-2023-22450 7.2 - High - June 06, 2023

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.

Unrestricted File Upload

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could

CVE-2023-32540 9.8 - Critical - June 06, 2023

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution.

Code Injection

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability

CVE-2023-32628 9.8 - Critical - June 06, 2023

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution.

Unrestricted File Upload

Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow

CVE-2022-3385 9.8 - Critical - October 27, 2022

Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow. An unauthorized attacker can remotely overflow the stack buffer and enable remote code execution.

Memory Corruption

Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow

CVE-2022-3386 9.8 - Critical - October 27, 2022

Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow. An unauthorized attacker can use an outsized filename to overflow the stack buffer and enable remote code execution.

Memory Corruption

Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks

CVE-2022-3387 5.3 - Medium - October 27, 2022

Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks. An unauthorized attacker could remotely exploit vulnerable PHP code to delete .PDF files.

Directory traversal

An SQL injection vulnerability in Advantech iView 5.7.04.6469

CVE-2022-3323 7.5 - High - September 27, 2022

An SQL injection vulnerability in Advantech iView 5.7.04.6469. The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password.

SQL Injection

The affected product is vulnerable to directory traversal, which may

CVE-2022-2139 9.8 - Critical - July 22, 2022

The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code.

Directory traversal

The affected product is vulnerable to two instances of command injection, which may

CVE-2022-2143 9.8 - Critical - July 22, 2022

The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.

The affected product is vulnerable to multiple SQL injections, which may

CVE-2022-2135 7.5 - High - July 22, 2022

The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information.

SQL Injection

The affected product is vulnerable to multiple SQL injections

CVE-2022-2136 6.5 - Medium - July 22, 2022

The affected product is vulnerable to multiple SQL injections that require low privileges for exploitation and may allow an unauthorized attacker to disclose information.

SQL Injection

The affected product is vulnerable to two SQL injections

CVE-2022-2137 4.9 - Medium - July 22, 2022

The affected product is vulnerable to two SQL injections that require high privileges for exploitation and may allow an unauthorized attacker to disclose information

SQL Injection

The affected product is vulnerable due to missing authentication, which may

CVE-2022-2138 7.5 - High - July 22, 2022

The affected product is vulnerable due to missing authentication, which may allow an attacker to read or modify sensitive data and execute arbitrary code, resulting in a denial-of-service condition.

Missing Authentication for Critical Function

The affected product is vulnerable to a SQL injection with high attack complexity, which may

CVE-2022-2142 5.9 - Medium - July 22, 2022

The affected product is vulnerable to a SQL injection with high attack complexity, which may allow an unauthorized attacker to disclose information.

SQL Injection

A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6

CVE-2021-40388 8.8 - High - January 28, 2022

A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.

Incorrect Default Permissions

A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iEdge Server 1.0.2

CVE-2021-40389 8.8 - High - January 28, 2022

A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iEdge Server 1.0.2. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.

Incorrect Default Permissions

A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iService 1.1.7

CVE-2021-40396 8.8 - High - January 28, 2022

A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iService 1.1.7. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.

Incorrect Default Permissions

A privilege escalation vulnerability exists in the installation of Advantech WISE-PaaS/OTA Server 3.0.9

CVE-2021-40397 7.8 - High - January 28, 2022

A privilege escalation vulnerability exists in the installation of Advantech WISE-PaaS/OTA Server 3.0.9. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.

Incorrect Default Permissions

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21922 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at username_filter parameter with the administrative account or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21926 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at health_filter parameter.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21937 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at host_alt_filter parameter. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21936 8.8 - High - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at health_alt_filter parameter. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21935 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at host_alt_filter2 parameter. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21934 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at imei_filter parameter. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21933 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at esn_filter parameter. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21932 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at name_filter parameter. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21931 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at stat_filter parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21930 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at sn_filter parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21929 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at prod_filter parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21928 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at mac_filter parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21924 6.5 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at desc_filter parameter.

SQL Injection

An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021)

CVE-2021-21915 8.8 - High - December 22, 2021

An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at company_filter parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021)

CVE-2021-21916 8.8 - High - December 22, 2021

An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at 'description_filter parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021)

CVE-2021-21917 8.8 - High - December 22, 2021

An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at 'ord parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21918 4.9 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at name_filter parameter. However, the high privilege super-administrator account needs to be used to achieve exploitation without cross-site request forgery attack.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21919 4.9 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ord parameter. However, the high privilege super-administrator account needs to be used to achieve exploitation without cross-site request forgery attack.

SQL Injection

A specially-crafted HTTP request can lead to SQL injection

CVE-2021-21921 4.9 - Medium - December 22, 2021

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at name_filter parameter with the administrative account or through cross-site request forgery.

SQL Injection

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.