Advantech Products SQL Injection Vulnerability Allowing Arbitrary SQL Command Execution

A SQL injection vulnerability has been identified in several Advantech products, including IoTSuite SaaSComposer, IoTSuite Growth Linux docker, IoTSuite Starter Linux docker, IoT Edge Linux docker, and IoT Edge Windows. This vulnerability allows an unauthenticated remote attacker to execute arbitrary SQL commands on the affected service when it is exposed to the Internet. The vulnerability exists in Advantech IoTSuite SaaSComposer versions prior to 3.4.15, IoTSuite Growth Linux docker versions prior to V2.0.2, IoTSuite Starter Linux docker versions prior to V2.0.2, IoT Edge Linux docker versions prior to V2.0.2, and IoT Edge Windows versions prior to V2.0.2.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of SQL commands on the vulnerable service, potentially allowing for data manipulation or retrieval from the database.

Remediation

Users and administrators are advised to update to the latest versions of the affected products. For IoTSuite SaaSComposer, IoTSuite Growth Linux docker, and IoT Edge Windows, contact Advantech for the official release of the fixed version. For IoTSuite Starter Linux docker and IoT Edge Linux docker, download the update from the Advantech KB Insight portal.