CVE-2025-34261
📋 TL;DR
This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to inject malicious scripts into device group names and descriptions. When other users view these device groups, the scripts execute in their browser context, potentially enabling session hijacking and unauthorized actions. All organizations running affected versions of WISE-DeviceOn Server are vulnerable.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges, compromises all connected devices, steals sensitive data, and maintains persistent access to the entire infrastructure.
Likely Case
Attacker hijacks user sessions, performs unauthorized actions as victims, and potentially escalates privileges within the WISE-DeviceOn Server.
If Mitigated
Limited to authenticated users only, with potential for session compromise but no direct system access.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated; stored XSS payloads persist until removed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 from official Advantech sources. 2. Backup current configuration and data. 3. Stop the WISE-DeviceOn Server service. 4. Install version 5.4 following vendor documentation. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Input Validation via WAF
allConfigure web application firewall to filter XSS payloads in POST requests to /rmm/v1/devicegroups/ endpoint
Restrict Device Group Creation
allLimit device group creation permissions to trusted administrators only
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Monitor and audit all device group creation/modification activities for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if current version is below 5.4 by accessing the admin interface or checking installation filesCheck Version:
Check web interface admin panel or consult installation documentation for version informationVerify Fix Applied:
After upgrading to 5.4, attempt to inject basic XSS payloads (like <script>alert('test')</script>) into device group name/description fields and verify they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual device group creation/modification patterns
- POST requests to /rmm/v1/devicegroups/ containing script tags or JavaScript code
Network Indicators:
- HTTP requests with suspicious payloads in device group parameters
- Unexpected JavaScript execution in device group listings
SIEM Query:
source="wise-deviceon" AND (uri_path="/rmm/v1/devicegroups/" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicegroups
