CVE-2025-34265
📋 TL;DR
This stored XSS vulnerability in Advantech WISE-DeviceOn Server allows authenticated attackers to inject malicious scripts into rule engine fields. When other users view or interact with these rules, the scripts execute in their browser context, potentially compromising sessions and enabling unauthorized actions. Affected users include all authenticated users of vulnerable WISE-DeviceOn Server instances.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control by stealing session cookies, performing actions as any authenticated user, and potentially pivoting to other systems.
Likely Case
Session hijacking leading to unauthorized rule modifications, data exfiltration, and privilege escalation within the DeviceOn platform.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting specific rule viewing interfaces.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 or later from official Advantech sources. 2. Backup current configuration and data. 3. Stop the DeviceOn service. 4. Install the updated version. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Input Validation Web Application Firewall Rule
allBlock or sanitize requests containing script tags or JavaScript in min, max, and unit parameters
Restrict Access to Rule Engine Endpoint
allLimit access to /rmm/v1/rule-engines endpoint to only necessary administrative users
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Enable strict input validation and output encoding for all user-controlled fields
🔍 How to Verify
Check if Vulnerable:
Check if version is below 5.4 and test if unsanitized HTML input in min/max/unit fields renders as HTML in rule viewsCheck Version:
Check DeviceOn web interface admin panel or server logs for version informationVerify Fix Applied:
After patching, verify version is 5.4+ and test that script tags in rule fields are properly escaped in output📡 Detection & Monitoring
Log Indicators:
- Unusual rule creation/modification patterns
- Requests with script tags in min/max/unit parameters
- Multiple failed authentication attempts followed by rule access
Network Indicators:
- POST requests to /rmm/v1/rule-engines with JavaScript payloads
- Unusual outbound connections from DeviceOn server
SIEM Query:
source="deviceon" AND (uri_path="/rmm/v1/rule-engines" AND (param="min" OR param="max" OR param="unit") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:"))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-rulesengine
