Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (siemens) · only source for this CVE.
CVSS VectorVendor: siemens
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "Motion Control Diagnostics" parameters page, the malicious code would be executed in the scope of their web session.
AnalysisAI
Stored cross-site scripting (XSS) in Siemens SIMATIC S7-1500 and ET 200SP controller families allows authenticated attackers with high privileges to inject malicious scripts via Technology Object (TO) names when downloading TIA Portal projects. The scripts execute when authorized users access the Motion Control Diagnostics web interface page, enabling session hijacking, credential theft, or privileged actions performed under the victim's context. This affects over 100 product variants across industrial automation controllers, software controllers, and open controllers. No active exploitation confirmed (not in CISA KEV). EPSS score not provided in dataset. CVSS 4.0 score of 9.3 reflects high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems.
Technical ContextAI
This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the web-based management interface of Siemens SIMATIC controllers. The affected products include hardware PLCs (S7-1500 CPU variants, ET 200SP distributed controllers, Drive Controllers), software-based controllers (S7-PLCSIM Advanced, Software Controller for Linux/Windows), and open controllers. The TIA Portal (Totally Integrated Automation Portal) engineering environment allows engineers to define Technology Objects - structured data blocks for motion control applications. When a TIA project containing a maliciously crafted TO name is downloaded to a controller, the web server fails to sanitize this input before rendering it on the Motion Control Diagnostics page. The vulnerability exists in the embedded web server component common across multiple SIMATIC product lines, evidenced by the extensive CPE list covering CPU models from compact 1511 controllers through high-end 1518 models, including safety-rated (F-suffix), technology (T-suffix), and failsafe variants. CVSS 4.0 metrics indicate network-based attack vector with low complexity but requiring high privileges and user interaction, suggesting the attack chain involves an authenticated project engineer deploying malicious content that triggers when another privileged user accesses diagnostics.
RemediationAI
Apply firmware updates according to Siemens ProductCERT advisory SSA-688146 (https://cert-portal.siemens.com/productcert/html/ssa-688146.html). For SIMATIC S7-1500 standard CPUs (1511, 1513, 1515F-2, 1516F-3 variants), upgrade to firmware V2.9.9 or later. For advanced technology and Drive Controller CPUs (1516T, 1517, 1518, Drive Controller 1504D/1507D variants), upgrade to firmware V3.1.6 or later. For SIMATIC ET 200SP distributed controllers, Software Controllers (all versions V2/V3/V4), ET 200SP Open Controllers, and S7-PLCSIM Advanced, consult the advisory for product-specific patched versions as these span multiple product lines. SIPLUS ruggedized variants follow the same version scheme as their standard counterparts. Until patching is complete, implement these compensating controls with noted trade-offs: (1) Restrict TIA Portal project download permissions to a minimal set of trusted engineers using controller access control lists - reduces attack surface but may impact operational flexibility in multi-engineer environments. (2) Disable or block web server access (port TCP/443 or HTTP/80) to the Motion Control Diagnostics page using firewall rules or controller web server configuration - eliminates XSS trigger mechanism but prevents legitimate diagnostics access, potentially complicating troubleshooting. (3) Implement mandatory code review of all Technology Object configurations before project deployment, scanning for script tags or JavaScript in TO names - labor-intensive and may slow development cycles. (4) Network segmentation: isolate engineering workstations and controller management interfaces from general IT networks using dedicated OT VLANs - effective defense-in-depth but requires network infrastructure changes. Priority: patch standard S7-1500 CPUs and ET 200SP controllers first as these represent the broadest installed base.
Stored cross-site scripting in Siemens SIMATIC S7-1500 controller family web interface allows authenticated high-privile
Cross-site scripting (XSS) in Siemens SIMATIC S7-1500 PLC family firmware upload interface allows authenticated attacker
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29427
GHSA-6664-q64g-w92p