Details of VAR-202406-0276

ID

VAR-202406-0276

CVE

CVE-2023-52335

TITLE

Advantech Co., Ltd. iView In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-016112

DESCRIPTION

Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863. Advantech Co., Ltd. Advantech iView is a software developed by Advantech, primarily used to manage B+B SmartWorx series devices via a simple network management protocol

Trust: 2.79

sources: NVD: CVE-2023-52335 // JVNDB: JVNDB-2024-016112 // ZDI: ZDI-24-610 // CNVD: CNVD-2025-30966

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-30966

AFFECTED PRODUCTS

vendor:	advantech	model:	iview	scope:	lt	version:	5.7.04.6752	Trust: 1.0
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	5.7.04.6752	Trust: 0.8
vendor:	アドバンテック株式会社	model:	iview	scope:	-	version:	-	Trust: 0.8
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	-	Trust: 0.8
vendor:	advantech	model:	iview	scope:	-	version:	-	Trust: 0.7
vendor:	advantech	model:	iview	scope:	eq	version:	*	Trust: 0.6

sources: ZDI: ZDI-24-610 // CNVD: CNVD-2025-30966 // JVNDB: JVNDB-2024-016112 // NVD: CVE-2023-52335

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-52335
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2023-52335
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-52335
value:	HIGH
Trust: 0.8
ZDI:	CVE-2023-52335
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2025-30966
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-30966
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2023-52335
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2023-52335
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
ZDI:	CVE-2023-52335
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-24-610 // CNVD: CNVD-2025-30966 // JVNDB: JVNDB-2024-016112 // NVD: CVE-2023-52335 // NVD: CVE-2023-52335

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-016112 // NVD: CVE-2023-52335

PATCH

title:	Advantech has issued an update to correct this vulnerability.	url:	https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183	Trust: 0.7
title:	Patch for Advantech iView SQL Injection Vulnerability (CNVD-2025-30966)	url:	https://www.cnvd.org.cn/patchInfo/show/782911	Trust: 0.6

sources: ZDI: ZDI-24-610 // CNVD: CNVD-2025-30966

EXTERNAL IDS

db:	NVD	id:	CVE-2023-52335	Trust: 3.9
db:	ZDI	id:	ZDI-24-610	Trust: 3.1
db:	JVNDB	id:	JVNDB-2024-016112	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-17863	Trust: 0.7
db:	CNVD	id:	CNVD-2025-30966	Trust: 0.6

sources: ZDI: ZDI-24-610 // CNVD: CNVD-2025-30966 // JVNDB: JVNDB-2024-016112 // NVD: CVE-2023-52335

REFERENCES

url:	https://www.advantech.com/zh-tw/support/details/firmware?id=1-hipu-183	Trust: 2.5
url:	https://www.zerodayinitiative.com/advisories/zdi-24-610/	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2023-52335	Trust: 0.8

sources: ZDI: ZDI-24-610 // CNVD: CNVD-2025-30966 // JVNDB: JVNDB-2024-016112 // NVD: CVE-2023-52335

CREDITS

Anonymous

Trust: 0.7

sources: ZDI: ZDI-24-610

SOURCES

db:	ZDI	id:	ZDI-24-610
db:	CNVD	id:	CNVD-2025-30966
db:	JVNDB	id:	JVNDB-2024-016112
db:	NVD	id:	CVE-2023-52335

LAST UPDATE DATE

2025-12-20T23:36:33.060000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-24-610	date:	2024-08-15T00:00:00
db:	CNVD	id:	CNVD-2025-30966	date:	2025-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2024-016112	date:	2025-01-10T05:26:00
db:	NVD	id:	CVE-2023-52335	date:	2025-01-09T16:05:53.673

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-24-610	date:	2024-06-12T00:00:00
db:	CNVD	id:	CNVD-2025-30966	date:	2025-12-18T00:00:00
db:	JVNDB	id:	JVNDB-2024-016112	date:	2025-01-10T00:00:00
db:	NVD	id:	CVE-2023-52335	date:	2024-11-22T20:15:07.927