Advantech DeviceOn/iEdge

Plan PatchCVSS 8.8ICS-CERT ICSA-25-310-01Nov 6, 2025

Advantech

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Advantech DeviceOn/iEdge versions 2.0.2 and earlier contain multiple vulnerabilities including path traversal (CWE-22) and cross-site scripting (CWE-79) that could allow an authenticated attacker to execute arbitrary code, read arbitrary files, or cause denial-of-service. The product is end-of-life. Advantech recommends upgrading to the newer DeviceOn product line. Defensive measures include network segmentation, firewall restrictions, and use of secure remote access methods such as VPNs.

What this means

What could happen

An attacker with network access and valid credentials could execute arbitrary code on the DeviceOn/iEdge device, potentially disrupting remote device management and monitoring, or read sensitive configuration files and credentials stored on the system.

Who's at risk

Organizations running Advantech DeviceOn/iEdge for remote device management in industrial environments, particularly water utilities, power systems, and manufacturing facilities that rely on centralized device configuration and monitoring across distributed locations.

How it could be exploited

An attacker with valid login credentials gains network access to the DeviceOn/iEdge web interface. They exploit path traversal (CWE-22) or cross-site scripting (CWE-79) vulnerabilities to execute commands or access files on the host system running the device management software.

Prerequisites

Valid credentials for DeviceOn/iEdge web interface
Network access to the DeviceOn/iEdge management port (typically HTTP/HTTPS)
DeviceOn/iEdge version 2.0.2 or earlier

remotely exploitableauthentication required (valid credentials)affects device management systemsno patch available for affected versionspath traversal and code execution possible

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

DeviceOn/iEdge: <=2.0.2≤ 2.0.2No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to DeviceOn/iEdge management interfaces using firewalls or network ACLs, allowing only trusted administrative workstations

HARDENINGIsolate DeviceOn/iEdge and managed remote devices behind firewalls, ensuring they are not reachable from the internet or untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade DeviceOn/iEdge devices to the newer DeviceOn product line, which is not vulnerable to these vulnerabilities

HARDENINGIf remote management access is required, implement a VPN or jump host (bastion server) rather than exposing the management interface directly

Mitigations - no patch available

0/1

DeviceOn/iEdge: <=2.0.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRegularly audit and rotate credentials used to access DeviceOn/iEdge management interfaces

CVEs (4)

CVE-2025-64302 CVE-2025-62630 CVE-2025-59171 CVE-2025-58423

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e4ab40c6-e9e3-42f3-be65-d961b2ba1f69

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.