CVE-2025-34266 is a stored cross-site scripting (XSS) vulnerability identified in Advantech Co., Ltd.'s WISE-DeviceOn Server, specifically affecting versions prior to 5.4. The vulnerability resides in the /rmm/v1/plugin-config/addins/menus REST API endpoint, which allows authenticated users to add or edit AddIns menu entries. The label and path parameters submitted by users are stored in the plugin configuration data without proper HTML sanitization or encoding. When these stored values are later rendered in the AddIns user interface, the malicious scripts embedded within these fields execute in the context of the victim's browser. This can lead to session hijacking, unauthorized actions performed on behalf of the victim, or other malicious activities such as credential theft or privilege escalation within the web application. The vulnerability requires an attacker to have authenticated access to the system and some level of user interaction (viewing or interacting with the compromised AddIns entry). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction required, with low confidentiality and integrity impact but no availability impact. No public exploit code or active exploitation has been reported to date. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. Given the nature of the product—WISE-DeviceOn Server, which is used for industrial IoT device management and monitoring—successful exploitation could allow attackers to pivot within industrial networks or disrupt operational technology environments.

For European organizations, especially those in manufacturing, industrial automation, and critical infrastructure sectors that utilize Advantech WISE-DeviceOn Server, this vulnerability poses a moderate risk. Exploitation could allow attackers to execute malicious scripts in the browsers of legitimate users, potentially leading to session hijacking and unauthorized command execution within the management interface. This could result in unauthorized configuration changes, data leakage, or disruption of industrial IoT device management. Given the increasing adoption of IoT and industrial control systems in Europe, particularly in Germany, France, Italy, and the UK, the impact could extend to operational disruptions and compromise of sensitive industrial data. Although exploitation requires authenticated access and user interaction, insider threats or compromised credentials could facilitate attacks. The vulnerability could also be leveraged as a foothold for lateral movement within industrial networks, increasing the risk of broader operational technology compromise. The medium CVSS score reflects these moderate but tangible risks to confidentiality and integrity without direct availability impact.

To mitigate CVE-2025-34266, European organizations should first verify if they are running Advantech WISE-DeviceOn Server versions prior to 5.4 and plan immediate upgrades to the latest patched version once available. In the absence of an official patch, organizations should implement strict input validation and output encoding on the AddIns menu entry fields to prevent injection of malicious scripts. Restrict access to the /rmm/v1/plugin-config/addins/menus endpoint to only trusted and necessary authenticated users, employing the principle of least privilege. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the affected endpoint. Conduct regular audits of AddIns menu entries for suspicious or unexpected content. Enhance monitoring and alerting for anomalous activities within the WISE-DeviceOn Server, including unusual changes to plugin configurations. Educate users about the risks of interacting with untrusted AddIns entries and enforce multi-factor authentication (MFA) to reduce the risk of credential compromise. Finally, segment industrial IoT management networks from general IT networks to limit the blast radius of any successful exploitation.