CVE-2025-13373

Vulnerability

Overview

CVE-2025-13373 is an SQL injection vulnerability in Advantech iView, versions 5.7.05.7057 and prior. The root cause is improper sanitization of SNMP v1 trap requests received on Port 162, allowing an attacker to inject arbitrary SQL commands [1][2].

Attack

Vector

The vulnerability is exploitable remotely over the network without authentication or user interaction (CVSS v3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). An attacker sends specially crafted SNMP v1 trap messages to the affected service. No special network position or privileges are required, and the attack complexity is low [2].

Impact

Successful exploitation enables an attacker to disclose sensitive information. The CVSS vector indicates a high confidentiality impact with no direct impact on integrity or availability. The CISA advisory further notes the attacker could modify or delete data [2]. The vulnerability is of particular concern for critical manufacturing and IT sectors where iView is deployed worldwide [2].

Mitigation

Advantech has released a fix in iView v5.8.1. Users are strongly recommended to update to this version. As a defense-in-depth measure, CISA advises minimizing network exposure of control system devices, isolating them behind firewalls, and using secure remote access methods such as VPNs [2].