High

Path Traversal in Advantech DeviceOn/iEdge

IdentifiersCVE-2025-59171CWE-22· Improper Limitation of a Pathname…

CVE-2025-59171 is a path traversal vulnerability affecting Advantech DeviceOn/iEdge, including version 2.0.2 and prior according to the cited CISA ICS advisory context. The flaw is caused by insufficient sanitization of attacker-controlled path input associated with a device dependency, allowing a remote attacker to supply crafted input that escapes the intended directory constraints. The available supporting content indicates exploitation can be performed over the network without authentication or user interaction. CISA’s advisory context states successful exploitation may allow an unauthenticated attacker to read arbitrary files or bypass authentication.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow unauthenticated remote access to files outside the intended directory scope, resulting in arbitrary file read and potential exposure of sensitive information. The advisory context also states the flaw may enable authentication bypass, which could permit further unauthorized access to the application or managed environment. The provided content does not support a confirmed RCE impact for this specific CVE; that RCE impact appears to apply to a different CVE in the same advisory.

Mitigation

If you can’t patch tonight, do this now.

Minimize network exposure of DeviceOn/iEdge systems and ensure they are not directly accessible from the internet. Place affected control system devices and remote devices behind firewalls, isolate them from business networks, and use secure remote access methods such as fully updated VPNs when remote administration is required. As compensating controls, restrict file/path access to least privilege, monitor for suspicious file access attempts, and enforce strict server-side validation and normalization of any user-supplied path input.

Remediation

Patch, then assume compromise.

Advantech stated the affected DeviceOn/iEdge products are end-of-life and recommended customers upgrade to DeviceOn, which is reported as not affected. Where vendor guidance is available, organizations should migrate off DeviceOn/iEdge 2.0.2 and prior and apply any replacement or upgrade path recommended by Advantech. Because the issue is a path traversal caused by insufficient sanitization, remediation should include correcting path canonicalization and validation logic so user-controlled input cannot reference files outside restricted directories.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AdvantechDeviceon/Iedgeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

Nov 6, 2025

CVE-2025-59171 - Advantech DeviceOn/iEdge Path Traversal

A high-severity path traversal vulnerability in Advantech DeviceOn/iEdge allows remote attackers to upload malicious configuration files, leading to remote code execution with system-level permissions. The flaw is due to improper input sanitization.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2