Advantech WISE-DeviceOn Server, a platform used for managing industrial IoT devices, contains a severe cryptographic vulnerability identified as CVE-2025-34256. The core issue is the use of a hard-coded cryptographic key—a static HS512 HMAC secret—that is embedded in the software and used uniformly across all deployments to sign EIRMMToken JWTs. Because the key is static and known, an attacker can craft forged JWTs by simply including a valid email claim, bypassing authentication entirely. This allows remote, unauthenticated attackers to impersonate any user account, including the highest privilege root super admin. With administrative access, attackers can manipulate the DeviceOn server, altering configurations, accessing sensitive data, and leveraging DeviceOn’s remote management capabilities to execute arbitrary code on connected managed agents. This vulnerability affects all versions prior to 5.4 and is exploitable over the network without any user interaction or prior authentication. The CVSS 4.0 vector reflects these factors, rating the vulnerability as critical with maximum impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the ease of exploitation and potential damage make this a high-risk threat for organizations relying on this platform for industrial device management.

For European organizations using Advantech WISE-DeviceOn Server, this vulnerability poses a significant risk to operational technology (OT) and industrial IoT environments. Successful exploitation could lead to full compromise of device management infrastructure, enabling attackers to disrupt industrial processes, steal sensitive operational data, or deploy malicious code to managed devices. This could result in operational downtime, safety hazards, regulatory non-compliance, and financial losses. Given the critical role of industrial automation in sectors like manufacturing, energy, and transportation across Europe, the impact could extend beyond individual organizations to affect supply chains and critical infrastructure. The ability to impersonate any user, including super admins, also raises the risk of insider-like attacks and persistent unauthorized access. The lack of required authentication and user interaction further increases the threat’s severity, making it accessible to remote attackers without sophisticated prerequisites.

Organizations should urgently upgrade Advantech WISE-DeviceOn Server to version 5.4 or later, where the hard-coded key vulnerability is addressed. If immediate patching is not feasible, implement network segmentation to isolate the DeviceOn server from untrusted networks and restrict access to trusted administrators only. Employ strict firewall rules and VPN access controls to limit exposure. Monitor logs for unusual JWT token usage or authentication anomalies indicative of token forgery. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malformed or suspicious JWTs. Regularly audit user accounts and permissions on the DeviceOn platform to detect unauthorized privilege escalations. Additionally, coordinate with Advantech support for any available interim mitigation guidance or patches. Incorporate this vulnerability into incident response plans and conduct tabletop exercises simulating exploitation scenarios to prepare operational teams.