CVE-2025-34264
📋 TL;DR
Advantech WISE-DeviceOn Server versions before 5.4 contain a stored cross-site scripting vulnerability in the Software Watchdog interface. Authenticated attackers can inject malicious scripts into process names, which execute when other users view those rules, potentially hijacking sessions and performing unauthorized actions. This affects all organizations using vulnerable versions of the WISE-DeviceOn Server.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of administrator accounts leading to full system takeover, data exfiltration, and lateral movement within the network.
Likely Case
Session hijacking of authenticated users, unauthorized actions performed in their context, and potential privilege escalation.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and regular session rotation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authentication is obtained. Stored XSS payloads persist until removed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4 and later
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 or later from official Advantech sources. 2. Backup current configuration and data. 3. Stop the WISE-DeviceOn Server service. 4. Install the updated version. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize process names before storage
Custom implementation required - no standard commands
Output Encoding
allApply proper HTML encoding when rendering process names in the UI
Custom implementation required - no standard commands
🧯 If You Can't Patch
- Restrict access to the Software Watchdog interface to only essential personnel
- Implement Content Security Policy (CSP) headers to mitigate script execution
🔍 How to Verify
Check if Vulnerable:
Check if version is below 5.4 and test for XSS in /rmm/v1/dog/{agentId} endpoint process name fieldCheck Version:
Check the server administration interface or configuration files for version informationVerify Fix Applied:
Verify version is 5.4 or higher and test that script tags in process names are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual process names containing script tags or JavaScript in Software Watchdog logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- HTTP POST requests to /rmm/v1/dog/{agentId} with suspicious payloads
- Unexpected outbound connections from the server
SIEM Query:
source="wise-deviceon" AND (uri_path="/rmm/v1/dog/*" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-dog-agentid
