CVE-2025-34236
📋 TL;DR
Advantech WebAccess/VPN versions before 1.1.5 contain a stored cross-site scripting vulnerability in the NetworksController.addNetworkAction() function. This allows attackers to inject malicious scripts that execute in victims' browsers when viewing network configuration pages. Organizations using vulnerable Advantech VPN portal versions are affected.
💻 Affected Systems
- Advantech WebAccess/VPN
📦 What is this software?
Webaccess\/vpn by Advantech
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack VPN sessions, deploy ransomware, or pivot to internal networks by compromising VPN administrators.
Likely Case
Session hijacking, credential theft, and unauthorized access to VPN-connected resources through client-side attacks.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy headers in place.
🎯 Exploit Status
Requires authentication to access the vulnerable endpoint, but stored XSS payloads persist and affect subsequent users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.5
Vendor Advisory: https://icr.advantech.com/support/router-models/download/511/sa-2025-01-vpn-portal-2025-11-06.pdf
Restart Required: Yes
Instructions:
1. Download version 1.1.5 from Advantech's support portal. 2. Backup current configuration. 3. Apply the update following vendor documentation. 4. Restart the VPN service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize network name inputs
Not applicable - requires code modification
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict access to the VPN portal interface to trusted administrators only using network segmentation
- Implement web application firewall (WAF) rules to detect and block XSS payloads in network configuration parameters
🔍 How to Verify
Check if Vulnerable:
Check if Advantech WebAccess/VPN version is below 1.1.5 in the admin interfaceCheck Version:
Check admin dashboard or use vendor-specific CLI commands for version verificationVerify Fix Applied:
Verify version shows 1.1.5 or higher after update and test network configuration input fields for proper sanitization📡 Detection & Monitoring
Log Indicators:
- Unusual network configuration changes
- Multiple failed login attempts followed by successful login
- Suspicious JavaScript payloads in network name fields
Network Indicators:
- Unusual outbound connections from VPN portal server
- Traffic patterns suggesting credential harvesting
SIEM Query:
source="advantech_vpn" AND (message="*<script>*" OR message="*javascript:*" OR message="*onerror=*" OR message="*onload=*")