CVE-2025-34256
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| advantech | wise-deviceon_server | to 5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Users are strongly advised to update to WISE-DeviceOn Server version 5.4 or later, where the hard-coded cryptographic key vulnerability has been fixed by replacing the static key with a system that dynamically generates and securely manages cryptographic keys for EIRMMToken authentication. [1]
Can you explain this vulnerability to me?
This vulnerability exists in Advantech WISE-DeviceOn Server versions prior to 5.4, where a hard-coded cryptographic key is used. Specifically, the product uses a static HS512 HMAC secret to sign EIRMMToken JWTs across all installations. Because the key is static and hard-coded, an attacker can forge JWTs by including only a valid email claim, allowing them to impersonate any DeviceOn account, including the root super admin. This enables the attacker to gain full administrative control over the DeviceOn instance and potentially execute code on managed agents via remote management features.
How can this vulnerability impact me? :
The impact of this vulnerability is severe. A remote unauthenticated attacker can generate arbitrary tokens to impersonate any user, including the highest privileged root super admin account. This grants the attacker full administrative control of the DeviceOn instance. Additionally, the attacker can leverage this control to execute arbitrary code on managed agents through the remote management capabilities of DeviceOn, potentially compromising the entire managed environment.