Unrated severityNVD Advisory· Published Nov 6, 2025· Updated Nov 17, 2025

Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxDeviceController.ajaxDeviceAction()

CVE-2025-34241

Description

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Affected products

Advantech/Webaccessllm-fuzzy
Range: <1.1.5
Advantech/WebAccess/VPNv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

icr.advantech.com/support/router-models/download/511/sa-2025-01-vpn-portal-2025-11-06.pdfmitrevendor-advisorypatch
www.vulncheck.com/advisories/advantech-webaccess-vpn-sqli-via-ajaxdevicecontroller-ajaxdeviceactionmitrethird-party-advisory
icr.advantech.com/download/softwaremitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000