Details of VAR-202206-2050

ID

VAR-202206-2050

CVE

CVE-2022-2135

TITLE

Advantech iView setTaskEditorItem DESCRIPTION SQL Injection Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-22-919

DESCRIPTION

The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing any element of the performZTPConfig action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of SYSTEM

Trust: 11.7

sources: NVD: CVE-2022-2135 // ZDI: ZDI-22-918 // ZDI: ZDI-22-880 // ZDI: ZDI-22-883 // ZDI: ZDI-22-885 // ZDI: ZDI-22-890 // ZDI: ZDI-22-893 // ZDI: ZDI-22-895 // ZDI: ZDI-22-900 // ZDI: ZDI-22-919 // ZDI: ZDI-22-905 // ZDI: ZDI-22-910 // ZDI: ZDI-22-913 // ZDI: ZDI-22-914 // ZDI: ZDI-22-915 // ZDI: ZDI-22-916 // ZDI: ZDI-22-917 // ZDI: ZDI-22-903 // VULHUB: VHN-426269

AFFECTED PRODUCTS

vendor:	advantech	model:	iview	scope:	-	version:	-	Trust: 11.9
vendor:	advantech	model:	iview	scope:	lt	version:	5.7.04.6469	Trust: 1.0

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-910 // ZDI: ZDI-22-905 // ZDI: ZDI-22-903 // ZDI: ZDI-22-900 // ZDI: ZDI-22-895 // ZDI: ZDI-22-893 // ZDI: ZDI-22-890 // ZDI: ZDI-22-885 // ZDI: ZDI-22-883 // ZDI: ZDI-22-880 // NVD: CVE-2022-2135

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2022-2135
value:	HIGH
Trust: 9.1
ZDI:	CVE-2022-2135
value:	CRITICAL
Trust: 2.8
nvd@nist.gov:	CVE-2022-2135
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2022-2135
value:	HIGH
Trust: 1.0

ZDI:	CVE-2022-2135
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 9.1
ZDI:	CVE-2022-2135
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 2.8
nvd@nist.gov:	CVE-2022-2135
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.1

sources: VULHUB: VHN-426269 // NVD: CVE-2022-2135

PATCH

title:

Advantech has issued an update to correct this vulnerability.

url:

https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 11.9

EXTERNAL IDS

db:	NVD	id:	CVE-2022-2135	Trust: 13.0
db:	ICS CERT	id:	ICSA-22-179-03	Trust: 1.1
db:	ZDI_CAN	id:	ZDI-CAN-16750	Trust: 0.7
db:	ZDI	id:	ZDI-22-919	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16529	Trust: 0.7
db:	ZDI	id:	ZDI-22-918	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16535	Trust: 0.7
db:	ZDI	id:	ZDI-22-917	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16561	Trust: 0.7
db:	ZDI	id:	ZDI-22-916	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16585	Trust: 0.7
db:	ZDI	id:	ZDI-22-915	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16562	Trust: 0.7
db:	ZDI	id:	ZDI-22-914	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16591	Trust: 0.7
db:	ZDI	id:	ZDI-22-913	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16659	Trust: 0.7
db:	ZDI	id:	ZDI-22-910	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16583	Trust: 0.7
db:	ZDI	id:	ZDI-22-905	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16724	Trust: 0.7
db:	ZDI	id:	ZDI-22-903	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16548	Trust: 0.7
db:	ZDI	id:	ZDI-22-900	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16544	Trust: 0.7
db:	ZDI	id:	ZDI-22-895	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16648	Trust: 0.7
db:	ZDI	id:	ZDI-22-893	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16656	Trust: 0.7
db:	ZDI	id:	ZDI-22-890	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16584	Trust: 0.7
db:	ZDI	id:	ZDI-22-885	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16646	Trust: 0.7
db:	ZDI	id:	ZDI-22-883	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-16782	Trust: 0.7
db:	ZDI	id:	ZDI-22-880	Trust: 0.7
db:	VULHUB	id:	VHN-426269	Trust: 0.1

REFERENCES

url:

https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 13.0

CREDITS

@rgod777

Trust: 8.4

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-910 // ZDI: ZDI-22-905 // ZDI: ZDI-22-903 // ZDI: ZDI-22-893 // ZDI: ZDI-22-890 // ZDI: ZDI-22-885 // ZDI: ZDI-22-883

SOURCES

db:	ZDI	id:	ZDI-22-919
db:	ZDI	id:	ZDI-22-918
db:	ZDI	id:	ZDI-22-917
db:	ZDI	id:	ZDI-22-916
db:	ZDI	id:	ZDI-22-915
db:	ZDI	id:	ZDI-22-914
db:	ZDI	id:	ZDI-22-913
db:	ZDI	id:	ZDI-22-910
db:	ZDI	id:	ZDI-22-905
db:	ZDI	id:	ZDI-22-903
db:	ZDI	id:	ZDI-22-900
db:	ZDI	id:	ZDI-22-895
db:	ZDI	id:	ZDI-22-893
db:	ZDI	id:	ZDI-22-890
db:	ZDI	id:	ZDI-22-885
db:	ZDI	id:	ZDI-22-883
db:	ZDI	id:	ZDI-22-880
db:	VULHUB	id:	VHN-426269
db:	NVD	id:	CVE-2022-2135

LAST UPDATE DATE

2026-04-17T23:59:01.463000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-22-919	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-918	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-917	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-916	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-915	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-914	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-913	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-910	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-905	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-903	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-900	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-895	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-893	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-890	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-885	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-883	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-880	date:	2022-06-30T00:00:00
db:	VULHUB	id:	VHN-426269	date:	2022-07-28T00:00:00
db:	NVD	id:	CVE-2022-2135	date:	2022-07-28T20:10:10.260

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-22-919	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-918	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-917	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-916	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-915	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-914	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-913	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-910	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-905	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-903	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-900	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-895	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-893	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-890	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-885	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-883	date:	2022-06-30T00:00:00
db:	ZDI	id:	ZDI-22-880	date:	2022-06-30T00:00:00
db:	VULHUB	id:	VHN-426269	date:	2022-07-22T00:00:00
db:	NVD	id:	CVE-2022-2135	date:	2022-07-22T15:15:08.117