CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-34256

CVSS 10.0v4.0pub. 2025-12-05upd. 2026-04-15

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.

🤖 AI Analysis
How it works

All product installations use an identical, static HMAC HS512 secret for signing JWT tokens of type EIRMMToken. The server accepts JWT tokens that contain only a valid 'email' field — an attacker can independently generate a properly signed token without knowing any authentication credentials. Because the key is identical across all installations (hardcoded), the exploit works against every vulnerable version of WISE-DeviceOn server. The obtained token allows impersonation of any account, including the super administrator (root) account.

Impact

The attacker gains full administrative control over the WISE-DeviceOn instance, enabling them to execute code on managed agency devices through the platform's built-in remote management functions.

Mitigation & patch

Immediately update Advantech WISE-DeviceOn Server to version 5.4 or newer, in accordance with the vendor's recommendations published in Security Advisory SECURITY-ADVISORY----DeviceOn-20251208-2. Until the patch is deployed, it is recommended to restrict network access to the WISE-DeviceOn server exclusively to trusted IP addresses at the firewall level.

Who is affected

Advantech WISE-DeviceOn Server versions prior to 5.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Advantech Wise Deviceon Server

    APP
    Advantech
    < 5.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-34257MEDIUM5.1ten sam produkt

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...

CVE-2025-34258MEDIUM5.1ten sam produkt

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...

CVE-2025-34259MEDIUM5.1ten sam produkt

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...

CVE-2025-34260MEDIUM5.1ten sam produkt

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...

CVE-2025-34261MEDIUM5.1ten sam produkt

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...