CVE-2025-34257
Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via action/defined
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/defined endpoint. When an authenticated user creates a task, the defined_name value is stored and later rendered in the Overview page without HTML sanitization. An attacker can inject malicious script into defined_name, which is then executed in the browser context of users who view the affected task, potentially enabling session compromise and unauthorized actions as the victim.
| CWE | CWE-79 |
| Vendor | advantech co., ltd. |
| Product | wise-deviceon server |
| Published | Dec 5, 2025 |
| Last Updated | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for advantech co., ltd. wise-deviceon server
Be the first to know when new unknown vulnerabilities affecting advantech co., ltd. wise-deviceon server are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Advantech Co., Ltd. / WISE-DeviceOn Server
0 < 5.4
References
advcloudfiles.advantech.com: https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf docs.deviceon.advantech.com: https://docs.deviceon.advantech.com/docs/resource/ vulncheck.com: https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-action-defined
Credits
Alex Williams from Pellera Technologies