Description
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.
Published: 2025-12-05
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Advantech WISE‑DeviceOn Server versions before 5.4 contain a hard‑coded HS512 HMAC secret that signs all EIRMMToken JWTs. Because the server accepts JWTs that contain only a valid email claim, a remote unauthenticated attacker can forge a token for any account, including the super admin. The attacker then obtains full administrative control of the DeviceOn instance and can use the server’s remote management features to execute code on managed agents. The vulnerability is a CWE‑321 weakness related to hard‑coded cryptographic keys, compromising both confidentiality and integrity of authentication tokens.

Affected Systems

Advantech Company Ltd. – WISE‑DeviceOn Server; all installations running any version older than 5.4 are affected. No specific patch version is listed, but the fix requires upgrading to at least version 5.4 or applying the vendor’s latest security update.

Risk and Exploitability

The CVSS score of 10 indicates critical severity, while the EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, indicating that active exploitation is currently unlikely but possible. Based on the description, the attack vector is a remote, unauthenticated network request to the device’s API that accepts forged JWTs. Once a valid token is forged, the attacker gains full administrative privileges and can run arbitrary code through remote management capabilities. Because the exploit relies solely on the hard‑coded key and the server’s lax validation, it can be performed without any credentials or local access.

Generated by OpenCVE AI on April 20, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch to upgrade to version 5.4 or later.
  • If a patch cannot be applied immediately, limit DeviceOn API access to trusted network segments or use firewall rules to block external traffic.
  • Reconfigure the server to reject any JWTs that do not contain both a valid email and a correctly signed claim, or replace the hard‑coded secret with a unique, per‑installation key.

Generated by OpenCVE AI on April 20, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Advantech wise-deviceon Server
CPEs cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*
Vendors & Products Advantech wise-deviceon Server
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 09 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Advantech
Advantech wise-deviceon
Vendors & Products Advantech
Advantech wise-deviceon

Fri, 05 Dec 2025 17:30:00 +0000

Type Values Removed Values Added
Description Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.
Title Advantech WISE-DeviceOn Server < 5.4 Hard-coded JWT Key Authentication Bypass
Weaknesses CWE-321
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Advantech Wise-deviceon Wise-deviceon Server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-15T19:36:20.788Z

Reserved: 2025-04-15T19:15:22.578Z

Link: CVE-2025-34256

cve-icon Vulnrichment

Updated: 2025-12-09T16:41:37.164Z

cve-icon NVD

Status : Modified

Published: 2025-12-05T18:15:55.053

Modified: 2026-04-15T19:16:32.673

Link: CVE-2025-34256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses