CVE-2025-34259
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-17

Assigner: VulnCheck

Description
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/building endpoint. When an authenticated user creates a map entry, the name parameter is stored and later rendered in the map list UI without HTML sanitzation. An attacker can inject malicious script into the map entry name, which is then executed in the browser context of users who view or interact with the affected map entry, potentially enabling session compromise and unauthorized actions as the victim.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34259
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
advantech wise-deviceon_server to 5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves verifying if your Advantech WISE-DeviceOn Server version is prior to 5.4 and checking for stored XSS payloads in the /rmm/v1/devicemap/building endpoint's map entry names. Since the vulnerability requires an authenticated user to create a map entry with malicious script in the name parameter, you can inspect the map entries for suspicious scripts or HTML tags. There are no specific commands provided in the resources to detect this vulnerability automatically. Manual inspection of the map entries via the UI or API calls to the /rmm/v1/devicemap/building endpoint to list map entries and review their name fields for script tags or suspicious content is recommended. [3]

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in Advantech WISE-DeviceOn Server versions prior to 5.4. It occurs in the /rmm/v1/devicemap/building endpoint where an authenticated user can create a map entry with a name parameter that is stored without proper HTML sanitization. Malicious scripts injected into the map entry name are executed in the browser of users who view or interact with that map entry, potentially allowing attackers to compromise user sessions and perform unauthorized actions as those users.

Impact Analysis

The vulnerability can lead to session compromise and unauthorized actions performed in the context of affected users. This means attackers could hijack user sessions, steal sensitive information, or perform actions on behalf of legitimate users, potentially leading to data breaches or system misuse.

Mitigation Strategies

The immediate mitigation step is to update the Advantech WISE-DeviceOn Server to version 5.4 or later, where the vulnerability has been fixed by properly sanitizing the input in the map entry name parameter. Until the update can be applied, restrict authenticated user access to the /rmm/v1/devicemap/building endpoint to trusted users only, and monitor or sanitize inputs manually to prevent injection of malicious scripts. Additionally, educate users to avoid interacting with suspicious map entries that may contain malicious scripts. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34259. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart