Skip to main content

Advantech WebAccess/SCADA CVE-2026-6888

| EUVDEUVD-2026-29896 HIGH
SQL Injection (CWE-89)
2026-05-13 CSA GHSA-x289-qg3r-9vgq
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 13, 2026 - 04:00 vuln.today
CVE Published
May 13, 2026 - 03:16 nvd
HIGH 7.2

DescriptionCVE.org

Successful exploitation of the SQL injection vulnerability could allow a remote authenticated attacker to execute arbitrary commands via a specific interface, potentially enabling the attacker to access, modify, or delete sensitive information within the database.

AnalysisAI

SQL injection in multiple Advantech industrial IoT platforms allows remote authenticated attackers with high privileges to execute arbitrary database commands. Affected products include WebAccess/SCADA, SaaS Composer, IoTSuite Growth/Starter, and IoT Edge across Windows and Linux Docker deployments. The vulnerability enables complete database compromise - attackers can read sensitive industrial control system data, modify configurations, or delete critical operational information. CVSS 7.2 reflects high impact across confidentiality, integrity, and availability, though exploitation requires administrative credentials (PR:H), significantly limiting attack surface compared to unauthenticated SQL injection vulnerabilities.

Technical ContextAI

This is a SQL injection vulnerability affecting Advantech's industrial automation and IoT management platforms. The CPE data identifies eight distinct product lines sharing vulnerable code: WebAccess/SCADA (industrial SCADA system), SaaS Composer (cloud platform orchestration), IoTSuite Growth and Starter editions (IoT device management), IoT Edge (edge computing gateway), and EcoWatch SaaS-Composer (environmental monitoring). All products use SQL databases for storing operational data, device configurations, and industrial process information. SQL injection occurs when user-supplied input is improperly sanitized before being incorporated into SQL queries, allowing attackers to break out of intended query logic and execute arbitrary database commands. The vulnerability exists in 'a specific interface' per the description, suggesting a particular API endpoint or web interface component common across these product families. While no CWE classification is provided, this would typically map to CWE-89 (SQL Injection). The cross-platform nature (Windows native and Linux Docker containers) indicates the vulnerable code is in shared application logic rather than platform-specific components.

RemediationAI

Apply vendor-issued security updates from Advantech immediately for all eight affected product lines. Consult Singapore CSA advisory AL-2026-050 at https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-050/ and Advantech's security bulletin portal for specific patch versions and installation instructions. Patch availability and exact fix versions are not confirmed in provided data - contact Advantech support directly for WebAccess/SCADA, SaaS Composer, IoTSuite, IoT Edge, and EcoWatch deployments. As compensating controls until patches are deployed: (1) enforce multi-factor authentication for all administrative accounts to raise the bar for credential compromise (mitigates PR:H exploitation path), (2) implement strict IP allowlisting for administrative interfaces limiting access to trusted management networks only (reduces AV:N exposure), (3) enable comprehensive SQL query logging and monitor for injection patterns such as UNION SELECT, semicolon-terminated commands, or comment sequences in database logs (provides detection capability), (4) apply principle of least privilege by auditing and reducing the number of accounts with high-level database permissions (shrinks attack surface). Note these controls do not eliminate the vulnerability - patching remains the only complete remediation. Organizations using these products in air-gapped or change-controlled environments should prioritize emergency patching given the critical infrastructure context.

Share

CVE-2026-6888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy