Advantech Iview

Advantech iView <=5.7.05.7057 SQL injection via SNMP v1 trap (Port 162)
CVE-2025-13373 7.5 - High - December 04, 2025

Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.

SQL Injection

Advantech iView <=5.7.04 SNMP Auth Bypass + SQLi RCE
CVE-2022-50595 - November 06, 2025

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ztp_search_value parameter to the NetworkServlet endpoint. Successful exploitation allows for remote code execution with administrator privileges.

SQL Injection

Advantech iView <5.7.04 SQL injection via SNMP
CVE-2022-50591 - November 06, 2025

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ztp_config_id parameter to the NetworkServlet endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.

SQL Injection

Advantech iView <5.7.04: SNMP Auth Bypass + SQLi RCE
CVE-2022-50593 - November 06, 2025

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the search_term parameter to the NetworkServlet endpoint. Successful exploitation allows for remote code execution with administrator privileges.

SQL Injection

Advantech iView before v5.7.04: SNMP Auth Bypass + SQLi RCE
CVE-2022-50592 - November 06, 2025

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the getInventoryReportData parameter to the NetworkServlet endpoint. Successful exploitation allows for remote code execution with administrator privileges.

SQL Injection

Advantech iView <=5.7.04 SNMP Auth Bypass + SQLi in NetworkServlet
CVE-2022-50594 - November 06, 2025

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the data parameter to the NetworkServlet endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.

SQL Injection

Advantech iView <5.7.05 XSS Reflected Exploit
CVE-2025-53519 - July 11, 2025

A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating specific parameters, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities.

XSS

Advantech iView SQLi & RCE via NetworkServlet.getNextTrapPage()
CVE-2025-53475 - July 11, 2025

A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters in this function are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account.

SQL Injection

Advantech iView SQLi & RCE via NetworkServlet.archiveTrapRange()
CVE-2025-52577 - July 11, 2025

A vulnerability exists in Advantech iView that could allow SQL injection and remote code execution through NetworkServlet.archiveTrapRange(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account.

SQL Injection

SQLi in Advantech iView via CUtils.checkSQLInjection
CVE-2025-48891 - July 11, 2025

A vulnerability exists in Advantech iView that could allow for SQL injection through the CUtils.checkSQLInjection() function. This vulnerability can be exploited by an authenticated attacker with at least user-level privileges, potentially leading to information disclosure or a denial-of-service condition.

SQL Injection

Directory Traversal in Advantech iView via NetworkServlet.processImportRequest
CVE-2025-46704 - July 11, 2025

A vulnerability exists in Advantech iView in NetworkServlet.processImportRequest() that could allow for a directory traversal attack. This issue requires an authenticated attacker with at least user-level privileges. A specific parameter is not properly sanitized or normalized, potentially allowing an attacker to determine the existence of arbitrary files on the server.

Directory traversal

Advantech iView Reflected XSS before 5.7.05b7057
CVE-2025-41442 - July 11, 2025

A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating certain input parameters, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities.

XSS

SQLi & RCE via NetworkServlet.archiveTrap() in Advantech iView
CVE-2025-53515 - July 11, 2025

A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account.

SQL Injection

Advantech iView NetworkServlet Arg Injection Enables Credential Exposure
CVE-2025-53509 - July 11, 2025

A vulnerability exists in Advantech iView that allows for argument injection in the NetworkServlet.restoreDatabase(). This issue requires an authenticated attacker with at least user-level privileges. An input parameter can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials.

Argument Injection

Advantech iView <5.7.05 build7057 Reflected XSS in Web UI
CVE-2025-53397 6.1 - Medium - July 11, 2025

A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By exploiting this flaw, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities.

XSS

Advantech iView Argument Injection in NetworkServlet via Unsanitized Parameters
CVE-2025-52459 - July 11, 2025

A vulnerability exists in Advantech iView that allows for argument injection in NetworkServlet.backupDatabase(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials.

Argument Injection

Advantech iView ConfigurationServlet SQL Injection Causing Credential Disclosure
CVE-2023-52335 7.5 - High - November 22, 2024

Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863.

SQL Injection

Advantech iView < 5.7.4 blind SQLi via CUtils.checkSQLInjection bypass
CVE-2023-3983 8.8 - High - July 31, 2023

An authenticated SQL injection vulnerability exists in Advantech iView versions prior to v5.7.4 build 6752. An authenticated remote attacker can bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform blind SQL injection.

SQL Injection

SQL Injection in Advantech iView 5.7.04.6469 ConfigurationServlet
CVE-2022-3323 7.5 - High - September 27, 2022

An SQL injection vulnerability in Advantech iView 5.7.04.6469. The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password.

SQL Injection

The affected product is vulnerable to directory traversal, which may
CVE-2022-2139 9.8 - Critical - July 22, 2022

The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code.

Directory traversal

The affected product is vulnerable to two instances of command injection, which may
CVE-2022-2143 9.8 - Critical - July 22, 2022

The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.

The affected product is vulnerable to multiple SQL injections, which may
CVE-2022-2135 7.5 - High - July 22, 2022

The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information.

SQL Injection

The affected product is vulnerable to multiple SQL injections
CVE-2022-2136 6.5 - Medium - July 22, 2022

The affected product is vulnerable to multiple SQL injections that require low privileges for exploitation and may allow an unauthorized attacker to disclose information.

SQL Injection

The affected product is vulnerable to two SQL injections
CVE-2022-2137 4.9 - Medium - July 22, 2022

The affected product is vulnerable to two SQL injections that require high privileges for exploitation and may allow an unauthorized attacker to disclose information

SQL Injection

The affected product is vulnerable due to missing authentication, which may
CVE-2022-2138 7.5 - High - July 22, 2022

The affected product is vulnerable due to missing authentication, which may allow an attacker to read or modify sensitive data and execute arbitrary code, resulting in a denial-of-service condition.

Missing Authentication for Critical Function

The affected product is vulnerable to a SQL injection with high attack complexity, which may
CVE-2022-2142 5.9 - Medium - July 22, 2022

The affected product is vulnerable to a SQL injection with high attack complexity, which may allow an unauthorized attacker to disclose information.

SQL Injection

The affected products configuration is vulnerable due to missing authentication, which may
CVE-2021-32930 9.8 - Critical - June 11, 2021

The affected products configuration is vulnerable due to missing authentication, which may allow an attacker to change configurations and execute arbitrary code on the iView (versions prior to v5.7.03.6182).

Missing Authentication for Critical Function

The affected product is vulnerable to a SQL injection, which may
CVE-2021-32932 7.5 - High - June 11, 2021

The affected product is vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information on the iView (versions prior to v5.7.03.6182).

SQL Injection

Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may
CVE-2021-22652 9.8 - Critical - February 11, 2021

Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.

Missing Authentication for Critical Function

Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may
CVE-2021-22658 9.8 - Critical - February 11, 2021

Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an attacker to escalate privileges to 'Administrator'.

SQL Injection

Advantech iView versions prior to v5.7.03.6112 are vulnerable to directory traversal, which may
CVE-2021-22656 7.5 - High - February 11, 2021

Advantech iView versions prior to v5.7.03.6112 are vulnerable to directory traversal, which may allow an attacker to read sensitive files.

Directory traversal

Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may
CVE-2021-22654 7.5 - High - February 11, 2021

Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information.

SQL Injection

Advantech iView, versions 5.6 and prior, has an improper access control vulnerability
CVE-2020-14499 7.5 - High - July 15, 2020

Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.