CVE-2025-34266 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Advantech Co., Ltd.'s WISE-DeviceOn Server versions prior to 5.4. The vulnerability resides in the /rmm/v1/plugin-config/addins/menus REST API endpoint, which allows authenticated users to add or edit AddIns menu entries. The label and path parameters submitted by users are stored in the plugin configuration data and later rendered in the AddIns user interface without proper HTML or JavaScript sanitization or encoding. This improper neutralization of input enables an attacker with authenticated access to inject malicious JavaScript code into these fields. When other users view or interact with the affected AddIns menu entries, the injected script executes in their browser context. This can lead to session token theft, unauthorized actions performed on behalf of the victim, or other malicious activities such as redirecting users to phishing sites or installing malware. The vulnerability requires the attacker to have at least low-level privileges (authenticated user) and some user interaction (viewing or interacting with the malicious AddIns entry). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required for exploitation (PR:L), user interaction required (UI:P), and low impact on confidentiality and integrity, with no impact on availability. No public exploits or patches have been reported as of the publication date, but the issue is publicly disclosed and should be addressed promptly. The vulnerability is particularly concerning in environments where multiple users have access to the WISE-DeviceOn Server UI, as it could facilitate lateral movement or privilege escalation through session hijacking or unauthorized commands executed via the victim’s browser.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user sessions and data accessed via the WISE-DeviceOn Server interface. Organizations using affected versions may face session hijacking, unauthorized command execution, or data manipulation if attackers exploit this XSS flaw. This is especially critical in industrial or IoT environments where WISE-DeviceOn Server is used for device management and monitoring, potentially impacting operational technology (OT) systems. Compromise could lead to unauthorized control or disruption of connected devices, causing operational downtime or safety risks. The vulnerability's requirement for authenticated access limits exposure but insider threats or compromised credentials could facilitate exploitation. Additionally, the stored nature of the XSS means persistent risk until the malicious payload is removed or the system patched. European entities in sectors such as manufacturing, energy, and critical infrastructure using Advantech products should consider this a significant concern due to the potential cascading effects on industrial control systems and supply chains.

1. Upgrade: Immediately upgrade Advantech WISE-DeviceOn Server to version 5.4 or later where the vulnerability is fixed. 2. Input Validation: Implement strict server-side input validation and sanitization for the label and path fields in the AddIns menu configuration to neutralize HTML and JavaScript content. 3. Output Encoding: Ensure proper output encoding (e.g., HTML entity encoding) when rendering user-supplied data in the UI to prevent script execution. 4. Access Controls: Restrict AddIns menu editing privileges to trusted administrators only, minimizing the number of users who can inject malicious content. 5. Monitoring and Logging: Enable detailed logging of AddIns menu changes and monitor for suspicious modifications or unusual user activity. 6. User Awareness: Educate users to be cautious when interacting with AddIns menus and report unexpected behavior. 7. Web Application Firewall (WAF): Deploy a WAF with rules to detect and block common XSS attack patterns targeting the affected endpoint. 8. Session Management: Implement secure session management practices, including HttpOnly and Secure flags on cookies, to reduce the impact of session hijacking. 9. Incident Response: Prepare to quickly identify and remove malicious AddIns entries if exploitation is suspected. These steps collectively reduce the risk of exploitation and limit potential damage.