Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (siemens) · only source for this CVE.
CVSS VectorVendor: siemens
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "communication" parameters page, the malicious code would be executed in the scope of their web session.
AnalysisAI
Stored cross-site scripting in Siemens SIMATIC S7-1500 controller family web interface allows authenticated high-privilege attackers to inject malicious code via crafted PLC/station names in TIA project files. When users with appropriate rights later access the communication parameters page, injected scripts execute in their session context with high impact to confidentiality, integrity, and availability across system boundaries (CVSS 9.3, CVSS:4.0 S:H). No public exploit identified at time of analysis, but CVSS vector indicates low attack complexity (AC:L) once attacker gains privileged project upload access.
Technical ContextAI
This is a stored/persistent XSS vulnerability (CWE-79) affecting the web-based management interface of Siemens SIMATIC S7-1500 programmable logic controllers, SIMATIC ET 200SP CPUs, Drive Controllers, Software Controllers, and S7-PLCSIM Advanced simulation software. The affected products use TIA Portal (Totally Integrated Automation Portal) for engineering and configuration. When project configurations containing PLC or station names are downloaded to the device, these names are rendered on the 'communication' parameters page without proper sanitization. The vulnerability stems from inadequate input validation of user-supplied metadata fields in TIA project files. The CVSS 4.0 vector SC:H/SI:H/SA:H indicates exploitation can compromise confidentiality, integrity, and availability of subsequent system components beyond the vulnerable web interface itself, suggesting potential lateral movement or session hijacking scenarios within industrial control networks.
RemediationAI
Apply firmware updates per Siemens ProductCERT advisory SSA-688146 (https://cert-portal.siemens.com/productcert/html/ssa-688146.html). Based on EUVD version data, fixed firmware versions include V2.9.9 or later for S7-1500 CPU 151x-1PN models, ET 200SP 1510/1512SP variants, and 1511C/1512C compact CPUs; V3.1.6 or later for S7-1500 CPU 1516/1517/1518 -3PN/DP and -4PN/DP models and Drive Controller 1504D/1507D TF variants. For product lines showing open-ended vulnerability ranges, contact Siemens support to confirm patch availability and compatibility with existing TIA Portal projects. Compensating controls until patching: restrict TIA Portal project download permissions to verified personnel only via role-based access control; implement mandatory code review of all TIA project files before deployment using static analysis tools to detect suspicious scripting in metadata fields; isolate engineering workstations accessing PLC web interfaces on dedicated VLANs without internet access; disable web server functionality on PLCs if HMI/SCADA provides sufficient monitoring (note: this prevents local diagnostics and may complicate troubleshooting); log all access to communication parameter pages and correlate with authorized maintenance windows to detect post-compromise reconnaissance. Trade-off: disabling web interface eliminates attack surface but requires alternative remote access methods (TIA Portal direct connection) increasing operational overhead.
Stored cross-site scripting (XSS) in Siemens SIMATIC S7-1500 and ET 200SP controller families allows authenticated attac
Cross-site scripting (XSS) in Siemens SIMATIC S7-1500 PLC family firmware upload interface allows authenticated attacker
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29426