CVE-2025-34263
📋 TL;DR
Advantech WISE-DeviceOn Server versions before 5.4 contain a stored cross-site scripting vulnerability in the dashboard menu configuration endpoint. Authenticated attackers can inject malicious scripts that execute when other users view affected dashboards, potentially compromising sessions and performing unauthorized actions. This affects organizations using vulnerable versions of the WISE-DeviceOn Server for IoT device management.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges, compromises all connected IoT devices, steals sensitive data, and maintains persistent access to the entire infrastructure.
Likely Case
Attacker hijacks user sessions, performs unauthorized actions as authenticated users, and potentially accesses sensitive device management data.
If Mitigated
Limited to authenticated users only, with potential for session compromise but restricted by existing access controls and network segmentation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authentication is obtained; stored XSS payloads persist until removed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 or later from Advantech's official website. 2. Backup current configuration and data. 3. Stop the WISE-DeviceOn Server service. 4. Install the updated version following vendor documentation. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall or reverse proxy rules to sanitize input to the vulnerable endpoint
# WAF rule example: Block/alert on suspicious patterns in /rmm/v1/plugin-config/dashboards/menus requests
Access Restriction
allRestrict access to the dashboard configuration functionality to only necessary administrative users
# Example: Implement additional authentication layer or IP restrictions for administrative functions
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Monitor and audit dashboard configuration changes for suspicious entries
🔍 How to Verify
Check if Vulnerable:
Check if version is below 5.4 via web interface admin panel or system informationCheck Version:
Check web interface admin panel or consult vendor documentation for version checkingVerify Fix Applied:
Verify version is 5.4 or higher and test that script tags in dashboard menu fields are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /rmm/v1/plugin-config/dashboards/menus with script tags or JavaScript payloads
- Multiple failed authentication attempts followed by successful login and dashboard configuration changes
Network Indicators:
- HTTP requests containing script injection patterns to the vulnerable endpoint
- Outbound connections from the server to unexpected external domains
SIEM Query:
source="wise-deviceon" AND (uri="/rmm/v1/plugin-config/dashboards/menus" AND (body="<script" OR body="javascript:" OR body="onerror=" OR body="onload="))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-dashboards-menus
