CVE-2025-34261 is a stored cross-site scripting (XSS) vulnerability identified in Advantech Co., Ltd.'s WISE-DeviceOn Server, specifically in versions prior to 5.4. The vulnerability resides in the /rmm/v1/devicegroups/ REST API endpoint, which allows authenticated users to create device groups by submitting name and description fields. These input fields are stored and later rendered in device group listings without proper HTML sanitization or encoding, leading to improper neutralization of input during web page generation (CWE-79). An attacker with authenticated access can inject malicious JavaScript code into these fields. When other users view or interact with the compromised device group listings, the injected script executes in their browser context. This can result in session token theft, unauthorized actions performed on behalf of the victim, or other malicious activities such as redirecting users to phishing sites or installing malware. The vulnerability requires the attacker to have at least low privileges (authenticated user) and some user interaction (viewing the device group). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, user interaction required, and low impact on confidentiality and integrity, with no impact on availability. No public exploits are currently known, but the vulnerability poses a moderate risk especially in environments where multiple users manage device groups. Since WISE-DeviceOn Server is used for industrial IoT device management, exploitation could facilitate lateral movement or further compromise within operational technology networks.

For European organizations, especially those in industrial sectors such as manufacturing, energy, and critical infrastructure that rely on Advantech WISE-DeviceOn Server for IoT device management, this vulnerability could lead to unauthorized access and control over device management interfaces. Exploitation could allow attackers to hijack user sessions, manipulate device group configurations, or perform unauthorized actions, potentially disrupting operational technology environments. This may result in operational downtime, data leakage, or facilitate further attacks within the network. Given the interconnected nature of industrial control systems in Europe and the increasing regulatory focus on cybersecurity (e.g., NIS2 Directive), exploitation could also lead to compliance violations and reputational damage. Although the vulnerability requires authenticated access, insider threats or compromised credentials could be leveraged by attackers. The medium severity rating suggests a moderate but tangible risk that should be addressed promptly to avoid escalation.

Specific mitigation steps include: 1) Upgrade Advantech WISE-DeviceOn Server to version 5.4 or later where this vulnerability is fixed. 2) If immediate patching is not possible, implement strict input validation and output encoding on the device group name and description fields at the application or proxy level to neutralize malicious scripts. 3) Restrict user privileges to the minimum necessary, limiting who can create or modify device groups. 4) Monitor logs for unusual activity related to device group creation or modification. 5) Educate users to be cautious when interacting with device group listings and to report suspicious behavior. 6) Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the affected endpoints. 7) Enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of credential compromise. 8) Conduct regular security assessments and penetration testing focused on the WISE-DeviceOn Server environment to detect similar vulnerabilities.