Hard-Coded Cryptographic Key Vulnerability in Advantech WISE-DeviceOn Server
CVE-2025-34256

10CRITICAL

Key Information:

Vendor

Advantech Co., Ltd.

Status
Wise-deviceon Server
Vendor
CVE Published:
5 December 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-34256?

The Advantech WISE-DeviceOn Server, versions before 5.4, suffers from a significant vulnerability due to a hard-coded cryptographic key. This flaw allows attackers to generate and forge JSON Web Tokens (JWTs) simply by including a valid email claim, paving the way for unauthorized access. Once compromised, an attacker can impersonate any DeviceOn account, including those with full administrative rights. This exploitation can facilitate remote code execution on managed agents, raising severe security concerns for organizations using this server for remote management.

Affected Version(s)

WISE-DeviceOn Server 0 < 5.4.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34256 - Proof of Concept

References

https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7...
vendor-advisorypatch
https://pellera.com/blog/advantech-wise-deviceon-cve-2025...
technical-descriptionexploit
https://docs.deviceon.advantech.com/docs/resource/
product

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams from Pellera Technologies
.