CVE-2025-34264 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Advantech Co., Ltd.'s WISE-DeviceOn Server software versions prior to 5.4. The vulnerability resides in the /rmm/v1/dog/{agentId} REST API endpoint, which handles Software Watchdog process rules for agents. When an authenticated user adds or edits these rules, the monitored process name is stored in a settings array and subsequently rendered in the Software Watchdog UI without proper HTML encoding or sanitization. This improper neutralization of input allows an attacker with valid credentials to inject malicious JavaScript code into the process name field. When other users view or interact with the compromised rules in the UI, the injected script executes in their browser context. This can lead to session token theft, unauthorized command execution within the application context, or other malicious actions leveraging the victim's privileges. The vulnerability requires the attacker to have authenticated access to the system and some level of user interaction to trigger the payload execution. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) indicates network attack vector, low attack complexity, no attack technique required, low confidentiality and integrity impact, no availability impact, and no scope change. No public exploits are currently known, but the vulnerability poses a risk especially in environments where multiple users manage or monitor devices via the WISE-DeviceOn Server. Lack of proper input validation and output encoding in the UI is the root cause. Since the product is used for device management, exploitation could facilitate lateral movement or privilege escalation within industrial or enterprise networks.

For European organizations, this vulnerability could lead to unauthorized access or control over device management interfaces, potentially disrupting industrial operations or IT asset management. Exploitation might allow attackers to hijack sessions of legitimate users, leading to unauthorized changes in device monitoring or control rules. This could degrade operational integrity or enable further compromise of connected systems. Given the critical role of Advantech WISE-DeviceOn Server in industrial IoT and device management, affected organizations in manufacturing, energy, transportation, and critical infrastructure sectors face risks of operational disruption and data leakage. The medium severity rating reflects moderate impact potential, but the requirement for authenticated access limits exposure to insider threats or attackers who have already breached perimeter defenses. However, in environments with multiple administrators or operators, the risk of lateral movement and privilege escalation increases. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure. European entities relying on Advantech solutions should consider this vulnerability in their risk assessments and incident response planning.

1. Upgrade: Immediately upgrade Advantech WISE-DeviceOn Server to version 5.4 or later where the vulnerability is fixed. 2. Input Validation: Implement strict input validation and sanitization on the Software Watchdog process name fields to prevent injection of malicious scripts. 3. Output Encoding: Ensure all user-supplied data rendered in the UI is properly HTML-encoded to neutralize script tags and event handlers. 4. Access Controls: Restrict authenticated user permissions to only those necessary for their roles to minimize the risk of malicious rule creation. 5. Monitoring and Logging: Enable detailed logging of changes to Software Watchdog rules and monitor for unusual or unauthorized modifications. 6. User Training: Educate administrators and operators about the risks of XSS and the importance of cautious input handling. 7. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block suspicious script injection attempts targeting the affected endpoint. 8. Session Management: Implement secure session handling to reduce the impact of session hijacking, including use of HttpOnly and Secure cookies. 9. Incident Response: Prepare to respond to potential exploitation by having procedures to quickly revoke compromised sessions and audit affected accounts.