Advantech iView ztp_config_id Parameter SQL Injection Information Disclosure Vulnerability


A vulnerability exists within Advantech iView SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_config_id’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-824d14ae

Vulnerability Metrics

  • CVSSv2 Score: 6.4

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: January 13th, 2022
  • Disclosed to public: March 1st, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.