CVE-2025-34256
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to forge JWT tokens using a hard-coded cryptographic key present in all Advantech WISE-DeviceOn Server installations. Attackers can impersonate any user including the root super admin, gaining full administrative control over the DeviceOn instance. All organizations running affected versions of Advantech WISE-DeviceOn Server are vulnerable.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the DeviceOn instance allowing attackers to execute arbitrary code on managed agents, steal sensitive data, disrupt operations, and maintain persistent access to the entire infrastructure.
Likely Case
Attackers gain administrative access to the DeviceOn server, allowing them to manipulate device configurations, deploy malicious updates to managed agents, and potentially pivot to other systems.
If Mitigated
If network segmentation and strict access controls are in place, impact may be limited to the DeviceOn server itself, though administrative control still represents significant risk.
🎯 Exploit Status
Exploitation requires only generating a JWT with a valid email claim using the known hard-coded key, making this trivial for attackers with knowledge of the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.4
Restart Required: Yes
Instructions:
1. Download Advantech WISE-DeviceOn Server version 5.4 or later from official sources. 2. Backup current configuration and data. 3. Stop the DeviceOn service. 4. Install the updated version. 5. Restart the service. 6. Verify functionality.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to the DeviceOn server to only trusted IP addresses and networks.
Use firewall rules to limit inbound connections to DeviceOn server
Disable Remote Management Features
allTemporarily disable DeviceOn's remote management capabilities to prevent code execution on managed agents.
Consult DeviceOn documentation for disabling specific remote management features
🧯 If You Can't Patch
- Immediately isolate the DeviceOn server from the internet and restrict internal network access
- Implement strict monitoring for authentication attempts and JWT token usage
🔍 How to Verify
Check if Vulnerable:
Check the DeviceOn server version. If it's below 5.4, it's vulnerable. Also check for the presence of the hard-coded HS512 HMAC secret in configuration files.Check Version:
Check DeviceOn web interface or configuration files for version informationVerify Fix Applied:
Verify the server is running version 5.4 or later. Test that JWT tokens signed with the old hard-coded key are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed login attempts followed by successful admin login
- JWT token validation failures
Network Indicators:
- Unusual outbound connections from DeviceOn server
- Suspicious traffic to managed agents
SIEM Query:
source="deviceon" AND (event_type="authentication" AND result="success" AND user="admin" AND source_ip NOT IN [trusted_ips])🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass
