CVE-2025-34262
📋 TL;DR
This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to inject malicious scripts into device names. When other users view or interact with these devices, the scripts execute in their browser context, potentially enabling session hijacking and unauthorized actions. All organizations using vulnerable versions of WISE-DeviceOn Server are affected.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, gain full control of the DeviceOn Server, pivot to other systems, and steal sensitive device management data.
Likely Case
Attackers with authenticated access could steal session cookies, perform unauthorized actions as victims, and potentially escalate privileges within the system.
If Mitigated
With proper input validation and output encoding, the risk is reduced to minimal, though authenticated users could still attempt injection that would be safely rendered.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4 and later
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 or later from Advantech's official website. 2. Backup current configuration and data. 3. Stop the DeviceOn Server service. 4. Install the updated version. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to reject device names containing HTML/JavaScript tags
Output Encoding
allApply proper HTML encoding to device name values before rendering in web interfaces
🧯 If You Can't Patch
- Implement strict input validation at the application layer to sanitize device name inputs
- Apply web application firewall (WAF) rules to block XSS payloads in device name parameters
🔍 How to Verify
Check if Vulnerable:
Check if your WISE-DeviceOn Server version is below 5.4. Attempt to rename a device with a test XSS payload like <script>alert('test')</script> and see if it executes when viewing the device.Check Version:
Check the DeviceOn Server web interface admin panel or consult server documentation for version information.Verify Fix Applied:
After upgrading to version 5.4 or later, attempt the same XSS test. The payload should be properly encoded and not execute. Verify that device names are displayed as plain text.📡 Detection & Monitoring
Log Indicators:
- Unusual device rename operations
- Device names containing script tags or JavaScript code
- Multiple rename attempts from single user
Network Indicators:
- HTTP POST requests to /rmm/v1/devices/name/{agent_id} with suspicious payloads
SIEM Query:
source="deviceon-server" AND (http_method="POST" AND uri="/rmm/v1/devices/name/*" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devices-name-agentid
