CVE-2025-34266
📋 TL;DR
This is an authenticated stored cross-site scripting (XSS) vulnerability in Advantech WISE-DeviceOn Server. An authenticated attacker can inject malicious scripts into AddIns menu entries, which execute in victims' browsers when they view or interact with those entries. This affects users of WISE-DeviceOn Server versions prior to 5.4.
💻 Affected Systems
- Advantech WISE-DeviceOn Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control, steals session tokens, performs unauthorized actions as victims, and potentially compromises the entire DeviceOn Server environment.
Likely Case
Session hijacking, credential theft, unauthorized configuration changes, and lateral movement within the DeviceOn Server environment.
If Mitigated
Limited to authenticated users only, with potential for privilege escalation if lower-privileged users can exploit against administrators.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in a standard web interface component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4 or later
Restart Required: Yes
Instructions:
1. Download WISE-DeviceOn Server version 5.4 or later from Advantech's official website. 2. Backup current configuration and data. 3. Stop the DeviceOn Server service. 4. Install the updated version. 5. Restart the service and verify functionality.
🔧 Temporary Workarounds
Input Validation via Web Application Firewall
allConfigure WAF rules to block XSS payloads targeting the /rmm/v1/plugin-config/addins/menus endpoint
Restrict AddIns Menu Access
allLimit which users can add or edit AddIns menu entries to trusted administrators only
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Monitor and audit all AddIns menu configuration changes for suspicious content
🔍 How to Verify
Check if Vulnerable:
Check if your WISE-DeviceOn Server version is below 5.4 in the web interface or via system information commandsCheck Version:
Check the web interface admin panel or consult system documentation for version verification commandsVerify Fix Applied:
After upgrading to version 5.4 or later, verify the version number and test that HTML/script input in AddIns menu fields is properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual AddIns menu configuration changes
- Multiple failed authentication attempts followed by successful login and menu modifications
- Suspicious strings containing script tags or JavaScript in configuration logs
Network Indicators:
- HTTP POST requests to /rmm/v1/plugin-config/addins/menus containing script payloads
- Unusual outbound connections from DeviceOn Server to external domains
SIEM Query:
source="deviceon-logs" AND (uri_path="/rmm/v1/plugin-config/addins/menus" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))🔗 References
- https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
- https://docs.deviceon.advantech.com/docs/resource/
- https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-addins-menus
