Key Information Vulnerability Name: Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via dog/{agentId} Severity: Medium Date: December 5, 2025 CVE ID: CVE-2025-34264 CWE ID: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N References: - Advantech Security Advisory - DeviceOn Software Download Credit: Alex Williams from Pellerla Technologies Description: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/dog/{agentId} endpoint. When an authenticated user adds or edits a Software Watchdog process rule, the monitored process name is stored in a settings array and then rendered in the Software Watchdog UI without proper HTML sanitization. An attacker can inject malicious scripts into the process name, which will then execute in the browser context of any user viewing or interacting with the affected rule, potentially leading to session hijacking and unauthorized actions performed on behalf of the victim.