CVE-2025-34259
📋 TL;DR
This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to inject malicious scripts into map entry names. When other users view these entries, the scripts execute in their browser context, potentially enabling session hijacking and unauthorized actions. Only authenticated users can exploit this vulnerability, but it affects all users who view the compromised map entries.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges through session hijacking, leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Attacker steals session cookies to impersonate authenticated users, performs unauthorized actions within their permission scope, and potentially accesses sensitive device management data.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized, preventing execution while maintaining map functionality.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - just injecting script payloads into the name parameter. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 from official Advantech sources. 2. Backup current configuration and data. 3. Stop the WISE-DeviceOn Server service. 4. Install the 5.4 update following vendor documentation. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Input Validation via WAF
allConfigure web application firewall to block XSS payloads in POST requests to /rmm/v1/devicemap/building endpoint
Restrict Map Creation Permissions
allTemporarily limit map creation to trusted administrators only until patching
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Monitor and audit all map creation activities for suspicious payloads in the name parameter
🔍 How to Verify
Check if Vulnerable:
Test by creating a map entry with a simple XSS payload like <script>alert('test')</script> in the name field and checking if it executes when viewing the map list.Check Version:
Check the WISE-DeviceOn Server web interface admin panel or consult server documentation for version information.Verify Fix Applied:
After upgrading to 5.4, attempt the same XSS test - the script should be properly sanitized and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual map creation events
- POST requests to /rmm/v1/devicemap/building containing script tags or JavaScript keywords in parameters
Network Indicators:
- HTTP requests with suspicious payloads in name parameter
- Unexpected JavaScript execution in map interface responses
SIEM Query:
source="wise-deviceon" AND (uri_path="/rmm/v1/devicemap/building" AND (param_name="name" AND param_value CONTAINS "<script>" OR param_value CONTAINS "javascript:"))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicemap-building
