CVE-2025-34260
📋 TL;DR
Advantech WISE-DeviceOn Server versions before 5.4 contain a stored cross-site scripting vulnerability in the schedule management endpoint. Authenticated attackers can inject malicious scripts into schedule names that execute when other users view those schedules, potentially hijacking sessions and performing unauthorized actions. This affects organizations using vulnerable versions of Advantech's device management platform.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges through session hijacking, leading to complete system compromise, data theft, and unauthorized control of managed devices.
Likely Case
Attacker steals authenticated sessions of regular users to perform unauthorized actions within their permission scope, potentially escalating privileges.
If Mitigated
Script execution is blocked by browser security features or content security policies, limiting impact to minor UI disruption.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated; stored XSS payloads are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 or later from Advantech's official website. 2. Backup current configuration and data. 3. Stop the WISE-DeviceOn Server service. 4. Install the updated version following vendor documentation. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Input Validation via WAF
allConfigure web application firewall to block XSS payloads in POST requests to /rmm/v1/action/schedule endpoint
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict access to the WISE-DeviceOn Server web interface to trusted users only using network segmentation
- Implement strong authentication controls and monitor for unusual schedule creation/modification activities
🔍 How to Verify
Check if Vulnerable:
Check if current version is below 5.4 by logging into the web interface and navigating to System Information or About pageCheck Version:
Check web interface or consult server installation documentation for version informationVerify Fix Applied:
After upgrading to 5.4+, attempt to inject basic XSS payload (<script>alert('test')</script>) into schedule name field and verify it's properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /rmm/v1/action/schedule containing script tags or JavaScript code
- Multiple failed login attempts followed by schedule creation
Network Indicators:
- HTTP requests with XSS payloads in schedule name parameters
- Outbound connections to suspicious domains from the server
SIEM Query:
source="wise-deviceon" AND (uri_path="/rmm/v1/action/schedule" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-action-schedule
