Hard-Coded Cryptographic Key Vulnerability in Advantech WISE-DeviceOn Server
CVE-2025-34256

10CRITICAL

Key Information:

Vendor

Advantech Co., Ltd.

Status
Wise-deviceon Server
Vendor
CVE Published:
5 December 2025

What is CVE-2025-34256?

The Advantech WISE-DeviceOn Server, versions before 5.4, suffers from a significant vulnerability due to a hard-coded cryptographic key. This flaw allows attackers to generate and forge JSON Web Tokens (JWTs) simply by including a valid email claim, paving the way for unauthorized access. Once compromised, an attacker can impersonate any DeviceOn account, including those with full administrative rights. This exploitation can facilitate remote code execution on managed agents, raising severe security concerns for organizations using this server for remote management.

Affected Version(s)

WISE-DeviceOn Server 0 < 5.4

References

https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7...
vendor-advisorypatch
https://docs.deviceon.advantech.com/docs/resource/
product
https://www.vulncheck.com/advisories/advantech-wise-devic...
third-party-advisory

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams from Pellera Technologies
JSON
.
CVE-2025-34256 : Hard-Coded Cryptographic Key Vulnerability in Advantech WISE-DeviceOn Server