CVE-2025-34265
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-17

Assigner: VulnCheck

Description
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/rule-engines endpoint. When an authenticated user creates or updates a rule for an agent, the rule fields min, max, and unit are stored and later rendered in rule listings or detail views without proper HTML sanitation. An attacker can inject malicious script into one or more of these fields, which is then executed in the browser context of users who view or interact with the affected rule, potentially enabling session compromise and unauthorized actions as the victim.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34265
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
advantech wise-deviceon_server to 5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in Advantech WISE-DeviceOn Server versions prior to 5.4. It occurs in the /rmm/v1/rule-engines endpoint where authenticated users can create or update rules. The fields min, max, and unit in these rules are stored and later displayed without proper HTML sanitization. An attacker can inject malicious scripts into these fields, which will execute in the browsers of users who view or interact with the affected rules, potentially leading to session compromise and unauthorized actions.

Impact Analysis

The vulnerability can impact you by allowing attackers to execute malicious scripts in your browser when you view or interact with affected rules. This can lead to session compromise, meaning attackers could hijack your session, and perform unauthorized actions on your behalf within the application.

Detection Guidance

This vulnerability can be detected by inspecting the /rmm/v1/rule-engines endpoint for stored scripts in the rule fields min, max, and unit. Since it is a stored XSS vulnerability triggered by malicious script injection in these fields, you can detect it by querying or reviewing the rules created or updated by authenticated users for suspicious script tags or HTML content in these fields. Specific commands are not provided in the resources, but manual inspection or automated scanning of the rule data via API calls to /rmm/v1/rule-engines could help identify injected scripts. [2]

Mitigation Strategies

The immediate mitigation step is to update Advantech WISE-DeviceOn Server to version 5.4 or later, where this stored XSS vulnerability has been fixed by properly sanitizing the input fields. Until the update is applied, restrict authenticated user permissions to limit rule creation or updates, and educate users to avoid interacting with suspicious rules. Applying input validation or sanitization at the application or proxy level may also help reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart