CVE-2025-34260 is a stored cross-site scripting (XSS) vulnerability identified in Advantech Co., Ltd.'s WISE-DeviceOn Server, affecting versions prior to 5.4. The vulnerability exists in the /rmm/v1/action/schedule endpoint, where authenticated users can add schedules to existing tasks. The schedule name input is stored without proper HTML sanitization and later rendered in schedule listings. This improper neutralization of input (CWE-79) allows an attacker to inject malicious JavaScript code into the schedule name. When other users view or interact with the schedule listing, the injected script executes in their browser context. This can lead to session hijacking, unauthorized actions performed with the victim's privileges, or other malicious activities within the web application context. The vulnerability requires the attacker to have authenticated access to the system and relies on user interaction to trigger the payload execution. The CVSS 4.0 base score is 5.1, indicating a medium severity with network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. The vulnerability has not been reported as exploited in the wild yet. The lack of available patches at the time of reporting necessitates immediate mitigation through input validation and output encoding. This vulnerability poses a risk to environments where WISE-DeviceOn Server is used for industrial device management and monitoring, potentially impacting operational technology (OT) environments.

For European organizations, this vulnerability presents a moderate risk primarily to industrial and manufacturing sectors that rely on Advantech's WISE-DeviceOn Server for device management and monitoring. Successful exploitation could lead to session hijacking, unauthorized command execution, and potential disruption of device management workflows. This could compromise the integrity and availability of industrial control systems, leading to operational downtime or safety risks. Confidentiality could also be impacted if session tokens or sensitive information are stolen via the XSS attack. Given the requirement for authenticated access and user interaction, the attack surface is somewhat limited but still significant in environments with multiple users managing devices. The impact is heightened in critical infrastructure sectors where device management systems are integral to operational continuity. Additionally, the vulnerability could be leveraged as a foothold for further lateral movement within the network, increasing the overall risk posture.

1. Upgrade: Apply the latest available patches or upgrade to Advantech WISE-DeviceOn Server version 5.4 or later once released. 2. Input Validation: Implement strict server-side input validation to reject or sanitize schedule names containing HTML or script elements before storage. 3. Output Encoding: Ensure that all user-supplied data rendered in the UI is properly encoded/escaped to prevent script execution. 4. Access Controls: Restrict schedule creation and modification privileges to trusted users only, minimizing the number of accounts that can inject malicious input. 5. Monitoring and Logging: Enable detailed logging of schedule creation/modification activities and monitor for suspicious inputs or anomalous user behavior. 6. User Awareness: Educate users about the risks of interacting with untrusted schedule entries and encourage cautious behavior. 7. Web Application Firewall (WAF): Deploy or tune WAF rules to detect and block common XSS payloads targeting the affected endpoint. 8. Session Management: Implement secure cookie attributes (HttpOnly, Secure, SameSite) to reduce session hijacking risks if XSS occurs. 9. Network Segmentation: Isolate device management systems from general IT networks to limit lateral movement in case of compromise.