CVE-2025-34256

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-34256
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf
https://docs.deviceon.advantech.com/docs/resource/ Product
https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*
History

17 Dec 2025, 17:15

Type Values Removed Values Added
References
  • {'url': 'https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf', 'tags': ['Vendor Advisory'], 'source': 'disclosure@vulncheck.com'}
  • () https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf -

11 Dec 2025, 18:13

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*
References () https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf - () https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf - Vendor Advisory
References () https://docs.deviceon.advantech.com/docs/resource/ - () https://docs.deviceon.advantech.com/docs/resource/ - Product
References () https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass - () https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass - Third Party Advisory
First Time Advantech wise-deviceon Server
Advantech

05 Dec 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-12-05 18:15

Updated : 2025-12-17 17:15

NVD link : CVE-2025-34256

Mitre link : CVE-2025-34256

CVE.ORG link : CVE-2025-34256

JSON object : View

Products Affected

advantech

  • wise-deviceon_server
CWE
CWE-321

Use of Hard-coded Cryptographic Key