CVE-2025-34256

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
https://docs.deviceon.advantech.com/docs/resource/	Product
https://pellera.com/blog/advantech-wise-deviceon-cve-2025-34256-vulnerability/
https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*

History

15 Apr 2026, 19:16

Type	Values Removed	Values Added
References		() https://pellera.com/blog/advantech-wise-deviceon-cve-2025-34256-vulnerability/ -
Summary		(es) Advantech WISE-DeviceOn Server versiones anteriores a 5.4 tienen una vulnerabilidad de clave criptográfica almacenada en el código. El producto utiliza un secreto HMAC HS512 estático para firmar los JWT de EIRMMToken en todas las instalaciones. El servidor acepta JWT falsificados que solo necesitan contener un email claim válido, lo que permite a un atacante remoto no autenticado generar tokens arbitrarios y suplantar cualquier cuenta de DeviceOn, incluyendo la cuenta de superadministrador raíz. La explotación exitosa permite el control total como administrador de la instancia de DeviceOn y puede ser aprovechada para ejecutar código en agentes gestionados a través de las funciones de gestión remota de DeviceOn.

17 Dec 2025, 17:15

Type	Values Removed	Values Added
References	{'url': 'https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf', 'tags': ['Vendor Advisory'], 'source': 'disclosure@vulncheck.com'}	() https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf -

11 Dec 2025, 18:13

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:advantech:wise-deviceon_server::::::::
References	~~() https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf -~~	() https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf - Vendor Advisory
References	~~() https://docs.deviceon.advantech.com/docs/resource/ -~~	() https://docs.deviceon.advantech.com/docs/resource/ - Product
References	~~() https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass -~~	() https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass - Third Party Advisory
First Time		Advantech wise-deviceon Server Advantech

05 Dec 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-05 18:15

Updated : 2026-04-15 19:16

NVD link : CVE-2025-34256

Mitre link : CVE-2025-34256

CVE.ORG link : CVE-2025-34256

JSON object : View

Products Affected

advantech

wise-deviceon_server

CWE

CWE-321

Use of Hard-coded Cryptographic Key

9.8 /10