CVE-2025-34256

CriticalPublic PoC

Published: 05 December 2025

Published

05 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0031 54.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34256 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Advantech Wise-Deviceon Server. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-12 Cryptographic Key Establishment and Management good match

prevent

Requires secure establishment and management of cryptographic keys, directly preventing the use of static, hard-coded HS512 HMAC secrets that enable JWT forgery.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, including patching Advantech WISE-DeviceOn Server to version 5.4 or later to eliminate the hard-coded key vulnerability.

IA-5 Authenticator Management partial match

prevent

Controls management and protection of authenticators such as shared HMAC secrets used for JWT signing, reducing risks from static keys.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1606 Forge Web Credentials Credential Access

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing server enables unauthenticated exploitation (T1190) for privilege escalation to admin (T1068), forging JWT auth tokens as web credentials (T1606), and impersonation of valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email…

claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.

Deeper analysisAI

CVE-2025-34256 is a hard-coded cryptographic key vulnerability (CWE-321) affecting Advantech WISE-DeviceOn Server versions prior to 5.4. The software uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations, enabling the server to accept forged JWTs that require only a valid email claim.

A remote unauthenticated attacker can generate arbitrary tokens to impersonate any DeviceOn account, including the root super admin. Successful exploitation provides full administrative control of the DeviceOn instance and allows code execution on managed agents through the platform's remote management features. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Advantech's security advisory and related references, including those from VulnCheck and Pellera, detail mitigation by upgrading to WISE-DeviceOn Server version 5.4 or later, which addresses the static key issue. Additional resources are available in the official advisory PDF and DeviceOn documentation.