CVE-2025-34258
📋 TL;DR
This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to inject malicious scripts into map area names. When other users view or interact with the affected map entry, the script executes in their browser context, potentially enabling session hijacking and unauthorized actions. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges, compromises all user sessions, exfiltrates sensitive data, and performs unauthorized actions across the entire DeviceOn deployment.
Likely Case
Attacker steals session cookies of other authenticated users, impersonates them to perform unauthorized actions within their permission scope, and potentially accesses sensitive device management data.
If Mitigated
Script execution is blocked by browser security features or CSP headers, limiting impact to minor UI disruption without data compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated; stored XSS payloads persist until cleaned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 from official Advantech sources. 2. Backup current configuration and data. 3. Stop the DeviceOn service. 4. Install the update following vendor documentation. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize HTML/JavaScript from the name parameter before storage.
Output Encoding
allApply proper output encoding when rendering the area name in the map list interface.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution.
- Restrict user permissions to minimize attack surface; limit who can create/modify map entries.
🔍 How to Verify
Check if Vulnerable:
Check if current version is below 5.4 by accessing the admin interface or checking installation files.Check Version:
Check web interface admin panel or consult installation documentation for version information.Verify Fix Applied:
After updating to 5.4, attempt to inject basic XSS payloads (e.g., <script>alert('test')</script>) into the area name field and verify they are properly sanitized or encoded when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /rmm/v1/devicemap/plan with script tags or JavaScript in parameters
- Multiple failed login attempts followed by successful authentication and map modifications
Network Indicators:
- HTTP requests containing script payloads in the name parameter
- Unexpected outbound connections from user browsers after viewing map entries
SIEM Query:
source="deviceon_logs" AND (uri="/rmm/v1/devicemap/plan" AND (param="name" CONTAINS "<script>" OR param="name" CONTAINS "javascript:"))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicemap-plan
