Cyber Posture

CVE-2025-34256

CriticalPublic PoC

Published: 05 December 2025

Published
05 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 42.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email…

more

claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.

Mitigating Controls (NIST 800-53 r5)AI

SC-12 Cryptographic Key Establishment and Management good match
prevent

Requires secure establishment and management of cryptographic keys, directly preventing the use of static, hard-coded HS512 HMAC secrets that enable JWT forgery.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation, including patching Advantech WISE-DeviceOn Server to version 5.4 or later to eliminate the hard-coded key vulnerability.

IA-5 Authenticator Management partial match
prevent

Controls management and protection of authenticators such as shared HMAC secrets used for JWT signing, reducing risks from static keys.

Security SummaryAI

CVE-2025-34256 is a hard-coded cryptographic key vulnerability (CWE-321) affecting Advantech WISE-DeviceOn Server versions prior to 5.4. The software uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations, enabling the server to accept forged JWTs that require only a valid email claim.

A remote unauthenticated attacker can generate arbitrary tokens to impersonate any DeviceOn account, including the root super admin. Successful exploitation provides full administrative control of the DeviceOn instance and allows code execution on managed agents through the platform's remote management features. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Advantech's security advisory and related references, including those from VulnCheck and Pellera, detail mitigation by upgrading to WISE-DeviceOn Server version 5.4 or later, which addresses the static key issue. Additional resources are available in the official advisory PDF and DeviceOn documentation.

Details

CWE(s)
CWE-321

Affected Products

advantech
wise-deviceon server
≤ 5.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing server enables unauthenticated exploitation (T1190) for privilege escalation to admin (T1068), forging JWT auth tokens as web credentials (T1606), and impersonation of valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References