CVE-2025-34256
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2026-04-15

Assigner: VulnCheck

Description
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34256
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
advantech wise-deviceon_server to 5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Advantech WISE-DeviceOn Server versions prior to 5.4, where a hard-coded cryptographic key is used. Specifically, the product uses a static HS512 HMAC secret to sign EIRMMToken JWTs across all installations. Because the key is static and hard-coded, an attacker can forge JWTs by including only a valid email claim, allowing them to impersonate any DeviceOn account, including the root super admin. This enables the attacker to gain full administrative control over the DeviceOn instance and potentially execute code on managed agents via remote management features.

Impact Analysis

The impact of this vulnerability is severe. A remote unauthenticated attacker can generate arbitrary tokens to impersonate any user, including the highest privileged root super admin account. This grants the attacker full administrative control of the DeviceOn instance. Additionally, the attacker can leverage this control to execute arbitrary code on managed agents through the remote management capabilities of DeviceOn, potentially compromising the entire managed environment.

Mitigation Strategies

Users are strongly advised to update to WISE-DeviceOn Server version 5.4 or later, where the hard-coded cryptographic key vulnerability has been fixed by replacing the static key with a system that dynamically generates and securely manages cryptographic keys for EIRMMToken authentication. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34256. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart