← back
CVE-2025-34239

Advantech WebAccess/VPN < 1.1.5 Command Injection in AppManagementController.appUpgradeAction()

CVSS 8.6 HIGHEPSS 1.6%CWE-78
Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated system administrator to execute arbitrary commands as the web server user (www-data) by supplying a crafted uploaded filename.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Advantech · WebAccess/VPN

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://icr.advantech.com/download/softwarehttps://icr.advantech.com/support/router-models/download/511/sa-2025-01-vpn-portal-2025-11-06.pdfhttps://www.vulncheck.com/advisories/advantech-webaccess-vpn-command-injection-in-appmanagementcontroller