Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn’s remote management features.
All product installations use an identical, static HMAC HS512 secret for signing JWT tokens of type EIRMMToken. The server accepts JWT tokens that contain only a valid 'email' field — an attacker can independently generate a properly signed token without knowing any authentication credentials. Because the key is identical across all installations (hardcoded), the exploit works against every vulnerable version of WISE-DeviceOn server. The obtained token allows impersonation of any account, including the super administrator (root) account.
The attacker gains full administrative control over the WISE-DeviceOn instance, enabling them to execute code on managed agency devices through the platform's built-in remote management functions.
Immediately update Advantech WISE-DeviceOn Server to version 5.4 or newer, in accordance with the vendor's recommendations published in Security Advisory SECURITY-ADVISORY----DeviceOn-20251208-2. Until the patch is deployed, it is recommended to restrict network access to the WISE-DeviceOn server exclusively to trusted IP addresses at the firewall level.
Advantech WISE-DeviceOn Server versions prior to 5.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAdvantech Wise Deviceon Server
APPAdvantech< 5.4
Related vulnerabilities
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability...