Advantech patches maximum-severity SQL injection flaw in IoT products
Take action: Make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Update your Advantech IoTSuite and IoT Edge software to the latest versions immediately to prevent remote database takeovers.
Learn More
The Cyber Security Agency of Singapore (CSA) reports a critical flaw in Advantech IoT software suite that allows attackers to run database commands without logging in. This flaw affects several products used to manage industrial internet-of-things (IoT) devices.
The flaw is tracked as CVE-2025-52694 (CVSS score 10.0) - A SQL injection vulnerability allowing unauthenticated remote code execution on the database service.
Several Advantech IoT platforms are at vulnerable:
- IoTSuite SaaSComposer versions before 3.4.15
- IoTSuite Growth Linux docker versions before V2.0.2.
- IoTSuite Starter Linux docker versions before V2.0.2.
- IoT Edge Linux docker versions before V2.0.2.
- IoT Edge Windows versions before V2.0.2.
Advantech urges users to update their software immediately. For some products, users must contact the company directly for the fix. For others, like the Linux docker versions, download links are available on the official Advantech advisory page.
