CVE-2025-34257 is a stored cross-site scripting (XSS) vulnerability identified in Advantech Co., Ltd.'s WISE-DeviceOn Server prior to version 5.4. The vulnerability resides in the /rmm/v1/action/defined endpoint, where the defined_name parameter is accepted from authenticated users when creating tasks. This input is stored persistently and later rendered on the Overview page without adequate HTML sanitization or encoding, violating secure coding practices against CWE-79. As a result, an attacker with authenticated access can inject malicious JavaScript code into defined_name. When other users view the Overview page containing the crafted task, the injected script executes in their browser context. This can lead to session token theft, unauthorized actions performed on behalf of the victim, or other malicious behaviors typical of XSS attacks. The vulnerability requires the attacker to have at least low privileges (authenticated user) and some user interaction (viewing the Overview page). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, user interaction required, and low impact on confidentiality and integrity, with no impact on availability. No public exploits are known at this time, but the vulnerability poses a risk in environments where multiple users access the WISE-DeviceOn Server interface. The flaw highlights insufficient input validation and output encoding in the web application’s task management UI. Since WISE-DeviceOn Server is used for industrial IoT device management, exploitation could facilitate lateral movement or privilege escalation within operational technology networks.

For European organizations, especially those in manufacturing, industrial automation, and critical infrastructure sectors that deploy Advantech WISE-DeviceOn Server, this vulnerability could enable attackers to compromise user sessions and perform unauthorized actions within the device management platform. This may lead to unauthorized configuration changes, disruption of device monitoring, or manipulation of operational data. Given the role of WISE-DeviceOn Server in managing industrial IoT devices, exploitation could indirectly impact operational technology (OT) environments, potentially affecting availability and safety of industrial processes. The medium severity rating reflects moderate risk, but the impact could escalate if attackers leverage this XSS as a foothold for further attacks. European organizations with multiple users accessing the platform are at higher risk, as the stored XSS payload executes in any user’s browser who views the infected task. This could also facilitate phishing or social engineering attacks within the organization. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities post-disclosure. Compliance with EU cybersecurity regulations (e.g., NIS2 Directive) may require timely remediation to avoid penalties and operational risks.

1. Upgrade WISE-DeviceOn Server to version 5.4 or later where the vulnerability is fixed. 2. If immediate patching is not possible, restrict access to the /rmm/v1/action/defined endpoint to trusted users only and limit task creation privileges. 3. Implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting defined_name parameters. 4. Educate users to avoid clicking on suspicious links or viewing untrusted tasks within the Overview page. 5. Apply Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. 6. Conduct regular security audits and code reviews focusing on input validation and output encoding in web interfaces. 7. Monitor logs for unusual activity related to task creation or modifications. 8. Employ multi-factor authentication (MFA) to reduce risk from compromised credentials. 9. Segment the network to isolate the WISE-DeviceOn Server from broader enterprise and OT networks to limit lateral movement. 10. Prepare incident response plans to quickly address any detected exploitation attempts.