Skip to main content

SIMATIC S7-1500 CVE-2026-25787

| EUVDEUVD-2026-29427 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-05-12 siemens GHSA-6664-q64g-w92p
XSS Simatic Drive Controller Cpu 1504D Tf Simatic Drive Controller Cpu 1507D Tf Simatic Et 200Sp Cpu 1510Sp F 1 Pn Simatic Et 200Sp Cpu 1510Sp 1 Pn Simatic Et 200Sp Cpu 1512Sp F 1 Pn Simatic Et 200Sp Cpu 1512Sp 1 Pn Simatic Et 200Sp Cpu 1514Sp F 2 Pn Simatic Et 200Sp Cpu 1514Sp 2 Pn Simatic Et 200Sp Cpu 1514Spt F 2 Pn Simatic Et 200Sp Cpu 1514Spt 2 Pn Simatic Et 200Sp Open Controller Cpu 1515Sp Pc Incl Siplus Variants Simatic Et 200Sp Open Controller Cpu 1515Sp Pc2 Incl Siplus Variants V2 Cpus Simatic Et 200Sp Open Controller Cpu 1515Sp Pc2 Incl Siplus Variants V3 Cpus Simatic Et 200Sp Open Controller Cpu 1515Sp Pc3 V4 Cpus Simatic S7 1500 Cpu 1511 1 Pn Simatic S7 1500 Cpu 1511C 1 Pn Simatic S7 1500 Cpu 1511F 1 Pn Simatic S7 1500 Cpu 1511T 1 Pn Simatic S7 1500 Cpu 1511Tf 1 Pn Simatic S7 1500 Cpu 1512C 1 Pn Simatic S7 1500 Cpu 1513 1 Pn Simatic S7 1500 Cpu 1513F 1 Pn Simatic S7 1500 Cpu 1513Pro F 2 Pn Simatic S7 1500 Cpu 1513Pro 2 Pn Simatic S7 1500 Cpu 1515 2 Pn Simatic S7 1500 Cpu 1515F 2 Pn Simatic S7 1500 Cpu 1515T 2 Pn Simatic S7 1500 Cpu 1515Tf 2 Pn Simatic S7 1500 Cpu 1516 3 Pn Dp Simatic S7 1500 Cpu 1516F 3 Pn Dp Simatic S7 1500 Cpu 1516Pro F 2 Pn Simatic S7 1500 Cpu 1516Pro 2 Pn Simatic S7 1500 Cpu 1516T 3 Pn Simatic S7 1500 Cpu 1516T 3 Pn Dp Simatic S7 1500 Cpu 1516Tf 3 Pn Simatic S7 1500 Cpu 1516Tf 3 Pn Dp Simatic S7 1500 Cpu 1517 3 Pn Simatic S7 1500 Cpu 1517 3 Pn Dp Simatic S7 1500 Cpu 1517F 3 Pn Simatic S7 1500 Cpu 1517F 3 Pn Dp Simatic S7 1500 Cpu 1517T 3 Pn Simatic S7 1500 Cpu 1517T 3 Pn Dp Simatic S7 1500 Cpu 1517Tf 3 Pn Simatic S7 1500 Cpu 1517Tf 3 Pn Dp Simatic S7 1500 Cpu 1518 3 Pn Simatic S7 1500 Cpu 1518 4 Pn Dp Simatic S7 1500 Cpu 1518 4 Pn Dp Mfp Simatic S7 1500 Cpu 1518F 3 Pn Simatic S7 1500 Cpu 1518F 4 Pn Dp Simatic S7 1500 Cpu 1518F 4 Pn Dp Mfp Simatic S7 1500 Cpu 1518T 3 Pn Simatic S7 1500 Cpu 1518T 4 Pn Dp Simatic S7 1500 Cpu 1518Tf 3 Pn Simatic S7 1500 Cpu 1518Tf 4 Pn Dp Simatic S7 1500 Cpu S7 1518 4 Pn Dp Odk Simatic S7 1500 Cpu S7 1518F 4 Pn Dp Odk Simatic S7 1500 Et 200Pro Simatic S7 1500 Software Controller Cpu 1507S F V2 Simatic S7 1500 Software Controller Cpu 1507S F V3 Simatic S7 1500 Software Controller Cpu 1507S F V4 Simatic S7 1500 Software Controller Cpu 1507S V2 Simatic S7 1500 Software Controller Cpu 1507S V3 Simatic S7 1500 Software Controller Cpu 1507S V4 Simatic S7 1500 Software Controller Cpu 1508S F V2 Simatic S7 1500 Software Controller Cpu 1508S F V3 Simatic S7 1500 Software Controller Cpu 1508S F V4 Simatic S7 1500 Software Controller Cpu 1508S T V3 Simatic S7 1500 Software Controller Cpu 1508S Tf V3 Simatic S7 1500 Software Controller Cpu 1508S V2 Simatic S7 1500 Software Controller Cpu 1508S V3 Simatic S7 1500 Software Controller Cpu 1508S V4 Simatic S7 1500 Software Controller Linux V2 Simatic S7 1500 Software Controller Linux V3 Simatic S7 Plcsim Advanced Siplus Et 200Sp Cpu 1510Sp F 1 Pn Siplus Et 200Sp Cpu 1510Sp F 1 Pn Rail Siplus Et 200Sp Cpu 1510Sp 1 Pn Siplus Et 200Sp Cpu 1510Sp 1 Pn Rail Siplus Et 200Sp Cpu 1512Sp F 1 Pn Siplus Et 200Sp Cpu 1512Sp F 1 Pn Rail Siplus Et 200Sp Cpu 1512Sp 1 Pn Siplus Et 200Sp Cpu 1512Sp 1 Pn Rail Siplus S7 1500 Cpu 1511 1 Pn Siplus S7 1500 Cpu 1511 1 Pn T1 Rail Siplus S7 1500 Cpu 1511 1 Pn Tx Rail Siplus S7 1500 Cpu 1511F 1 Pn Siplus S7 1500 Cpu 1513 1 Pn Siplus S7 1500 Cpu 1513F 1 Pn Siplus S7 1500 Cpu 1515F 2 Pn Siplus S7 1500 Cpu 1515F 2 Pn Rail Siplus S7 1500 Cpu 1515F 2 Pn T2 Rail Siplus S7 1500 Cpu 1516 3 Pn Dp Siplus S7 1500 Cpu 1516 3 Pn Dp Rail Siplus S7 1500 Cpu 1516 3 Pn Dp Tx Rail Siplus S7 1500 Cpu 1516F 3 Pn Dp Siplus S7 1500 Cpu 1516F 3 Pn Dp Rail Siplus S7 1500 Cpu 1518 4 Pn Dp Siplus S7 1500 Cpu 1518 4 Pn Dp Mfp Siplus S7 1500 Cpu 1518F 4 Pn Dp
9.3
CVSS 4.0 · Vendor: siemens
Share

Severity by source

Vendor (siemens) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (siemens) · only source for this CVE.

CVSS VectorVendor: siemens

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 12, 2026 - 10:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 12, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 10:22 NVD
9.1 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
May 12, 2026 - 10:03 vuln.today
CVE Published
May 12, 2026 - 08:21 nvd
CRITICAL 9.1

DescriptionCVE.org

Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "Motion Control Diagnostics" parameters page, the malicious code would be executed in the scope of their web session.

AnalysisAI

Stored cross-site scripting (XSS) in Siemens SIMATIC S7-1500 and ET 200SP controller families allows authenticated attackers with high privileges to inject malicious scripts via Technology Object (TO) names when downloading TIA Portal projects. The scripts execute when authorized users access the Motion Control Diagnostics web interface page, enabling session hijacking, credential theft, or privileged actions performed under the victim's context. This affects over 100 product variants across industrial automation controllers, software controllers, and open controllers. No active exploitation confirmed (not in CISA KEV). EPSS score not provided in dataset. CVSS 4.0 score of 9.3 reflects high impact across confidentiality, integrity, and availability in both vulnerable and subsequent systems.

Technical ContextAI

This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the web-based management interface of Siemens SIMATIC controllers. The affected products include hardware PLCs (S7-1500 CPU variants, ET 200SP distributed controllers, Drive Controllers), software-based controllers (S7-PLCSIM Advanced, Software Controller for Linux/Windows), and open controllers. The TIA Portal (Totally Integrated Automation Portal) engineering environment allows engineers to define Technology Objects - structured data blocks for motion control applications. When a TIA project containing a maliciously crafted TO name is downloaded to a controller, the web server fails to sanitize this input before rendering it on the Motion Control Diagnostics page. The vulnerability exists in the embedded web server component common across multiple SIMATIC product lines, evidenced by the extensive CPE list covering CPU models from compact 1511 controllers through high-end 1518 models, including safety-rated (F-suffix), technology (T-suffix), and failsafe variants. CVSS 4.0 metrics indicate network-based attack vector with low complexity but requiring high privileges and user interaction, suggesting the attack chain involves an authenticated project engineer deploying malicious content that triggers when another privileged user accesses diagnostics.

RemediationAI

Apply firmware updates according to Siemens ProductCERT advisory SSA-688146 (https://cert-portal.siemens.com/productcert/html/ssa-688146.html). For SIMATIC S7-1500 standard CPUs (1511, 1513, 1515F-2, 1516F-3 variants), upgrade to firmware V2.9.9 or later. For advanced technology and Drive Controller CPUs (1516T, 1517, 1518, Drive Controller 1504D/1507D variants), upgrade to firmware V3.1.6 or later. For SIMATIC ET 200SP distributed controllers, Software Controllers (all versions V2/V3/V4), ET 200SP Open Controllers, and S7-PLCSIM Advanced, consult the advisory for product-specific patched versions as these span multiple product lines. SIPLUS ruggedized variants follow the same version scheme as their standard counterparts. Until patching is complete, implement these compensating controls with noted trade-offs: (1) Restrict TIA Portal project download permissions to a minimal set of trusted engineers using controller access control lists - reduces attack surface but may impact operational flexibility in multi-engineer environments. (2) Disable or block web server access (port TCP/443 or HTTP/80) to the Motion Control Diagnostics page using firewall rules or controller web server configuration - eliminates XSS trigger mechanism but prevents legitimate diagnostics access, potentially complicating troubleshooting. (3) Implement mandatory code review of all Technology Object configurations before project deployment, scanning for script tags or JavaScript in TO names - labor-intensive and may slow development cycles. (4) Network segmentation: isolate engineering workstations and controller management interfaces from general IT networks using dedicated OT VLANs - effective defense-in-depth but requires network infrastructure changes. Priority: patch standard S7-1500 CPUs and ET 200SP controllers first as these represent the broadest installed base.

Share

CVE-2026-25787 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy