CVE-2025-34244 MEDIUM

CVE-2025-34244: Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxFwRulesController.ajaxDeviceFwRulesAction()

Vendor Advantech

Product WebAccess/VPN

Weakness CWE-89 · SQLi

Published November 6, 2025

Last update November 17, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxDeviceFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Key dates

02Disclosure timeline

November 6, 2025 CVE published

November 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34244

Related vulnerabilities

04Related CVE

CVE-2024-10856 Booking Calendar WpDevArt <= 3.2.19 - Authenticated (Contributor+) SQL Injection CVE-2025-2060 PHPGurukul Emergency Ambulance Hiring Portal admin-profile.php sql injection CVE-2025-13276 g33kyrash Online-Banking-System index.php sql injection CVE-2025-0391 Guangzhou Huayi Intelligent Technology Jeewms CgFormBuildController. java saveOrUpdate sql injection CVE-2025-1158 ESAFENET CDG addPolicyToSafetyGroup.jsp sql injection