CVE-2025-34247 is an SQL injection vulnerability identified in Advantech WebAccess/VPN versions prior to 1.1.5. The flaw exists in the NetworksController.addNetworkAction() method, where insufficient input sanitization of datatable search parameters allows an authenticated user with observer-level privileges to inject malicious SQL commands. This improper neutralization of special elements used in SQL commands (CWE-89) enables attackers to manipulate backend database queries, potentially disclosing sensitive information stored within the database. The vulnerability requires authentication but no user interaction, and the attacker must have at least observer-level access, which is typically a low-privileged role. The CVSS 4.0 base score is 5.1 (medium), reflecting network attack vector, low attack complexity, no user interaction, and limited confidentiality and integrity impact. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability primarily threatens confidentiality by exposing database contents and could also affect data integrity if leveraged further. Given Advantech’s prominence in industrial automation and VPN solutions, this vulnerability could be leveraged to gain intelligence on network configurations or sensitive operational data.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors relying on Advantech WebAccess/VPN, this vulnerability poses a risk of unauthorized data disclosure. Attackers with low-privileged observer access could extract sensitive network and operational data, potentially aiding further attacks or espionage. This could lead to exposure of intellectual property, network topology, or credentials stored in the database. While the vulnerability does not directly impact system availability, the confidentiality breach could have regulatory implications under GDPR and other data protection laws, leading to legal and reputational damage. Organizations in sectors such as energy, manufacturing, and transportation, which heavily use industrial control systems, may face increased risk. The medium severity indicates that while exploitation is feasible, it requires authenticated access, somewhat limiting the attack surface but not eliminating risk.

European organizations should immediately verify if they use Advantech WebAccess/VPN versions prior to 1.1.5 and plan to upgrade to the latest patched version once available. In the absence of an official patch, organizations should implement strict access controls to limit observer user accounts and monitor their activities closely. Input validation and sanitization should be enforced at the application layer, potentially via web application firewalls (WAFs) configured to detect and block SQL injection patterns targeting datatable search parameters. Network segmentation should be employed to isolate management interfaces from general user access. Additionally, organizations should conduct regular audits of database access logs to detect anomalous queries indicative of injection attempts. Employing multi-factor authentication (MFA) for all users, including low-privileged ones, can reduce the risk of credential compromise. Finally, organizations should prepare incident response plans to quickly address any detected exploitation attempts.