Description

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.

INFO

Published Date :

2025-12-05T17:18:31.747Z

Last Modified :

2025-12-17T16:49:17.578Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2025-34256 vulnerability.

Vendors Products
Advantech
  • Wise-deviceon
  • Wise-deviceon Server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34256.

URL Resource
https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf cve-icon cve-icon
https://docs.deviceon.advantech.com/docs/resource/ cve-icon cve-icon
https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact