Skip to main content

SIMATIC S7-1500 CVE-2026-25789

| EUVDEUVD-2026-29428 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-12 siemens GHSA-r662-c7v7-m9h4
XSS Simatic Drive Controller Cpu 1504D Tf Simatic Drive Controller Cpu 1507D Tf Simatic Et 200Sp Cpu 1510Sp F 1 Pn Simatic Et 200Sp Cpu 1510Sp 1 Pn Simatic Et 200Sp Cpu 1512Sp F 1 Pn Simatic Et 200Sp Cpu 1512Sp 1 Pn Simatic Et 200Sp Cpu 1514Sp F 2 Pn Simatic Et 200Sp Cpu 1514Sp 2 Pn Simatic Et 200Sp Cpu 1514Spt F 2 Pn Simatic Et 200Sp Cpu 1514Spt 2 Pn Simatic Et 200Sp Open Controller Cpu 1515Sp Pc Incl Siplus Variants Simatic Et 200Sp Open Controller Cpu 1515Sp Pc2 Incl Siplus Variants V2 Cpus Simatic Et 200Sp Open Controller Cpu 1515Sp Pc2 Incl Siplus Variants V3 Cpus Simatic Et 200Sp Open Controller Cpu 1515Sp Pc3 V4 Cpus Simatic S7 1500 Cpu 1511 1 Pn Simatic S7 1500 Cpu 1511C 1 Pn Simatic S7 1500 Cpu 1511F 1 Pn Simatic S7 1500 Cpu 1511T 1 Pn Simatic S7 1500 Cpu 1511Tf 1 Pn Simatic S7 1500 Cpu 1512C 1 Pn Simatic S7 1500 Cpu 1513 1 Pn Simatic S7 1500 Cpu 1513F 1 Pn Simatic S7 1500 Cpu 1513Pro F 2 Pn Simatic S7 1500 Cpu 1513Pro 2 Pn Simatic S7 1500 Cpu 1515 2 Pn Simatic S7 1500 Cpu 1515F 2 Pn Simatic S7 1500 Cpu 1515T 2 Pn Simatic S7 1500 Cpu 1515Tf 2 Pn Simatic S7 1500 Cpu 1516 3 Pn Dp Simatic S7 1500 Cpu 1516F 3 Pn Dp Simatic S7 1500 Cpu 1516Pro F 2 Pn Simatic S7 1500 Cpu 1516Pro 2 Pn Simatic S7 1500 Cpu 1516T 3 Pn Simatic S7 1500 Cpu 1516T 3 Pn Dp Simatic S7 1500 Cpu 1516Tf 3 Pn Simatic S7 1500 Cpu 1516Tf 3 Pn Dp Simatic S7 1500 Cpu 1517 3 Pn Simatic S7 1500 Cpu 1517 3 Pn Dp Simatic S7 1500 Cpu 1517F 3 Pn Simatic S7 1500 Cpu 1517F 3 Pn Dp Simatic S7 1500 Cpu 1517T 3 Pn Simatic S7 1500 Cpu 1517T 3 Pn Dp Simatic S7 1500 Cpu 1517Tf 3 Pn Simatic S7 1500 Cpu 1517Tf 3 Pn Dp Simatic S7 1500 Cpu 1518 3 Pn Simatic S7 1500 Cpu 1518 4 Pn Dp Simatic S7 1500 Cpu 1518 4 Pn Dp Mfp Simatic S7 1500 Cpu 1518F 3 Pn Simatic S7 1500 Cpu 1518F 4 Pn Dp Simatic S7 1500 Cpu 1518F 4 Pn Dp Mfp Simatic S7 1500 Cpu 1518T 3 Pn Simatic S7 1500 Cpu 1518T 4 Pn Dp Simatic S7 1500 Cpu 1518Tf 3 Pn Simatic S7 1500 Cpu 1518Tf 4 Pn Dp Simatic S7 1500 Cpu S7 1518 4 Pn Dp Odk Simatic S7 1500 Cpu S7 1518F 4 Pn Dp Odk Simatic S7 1500 Et 200Pro Simatic S7 1500 Software Controller Cpu 1507S F V2 Simatic S7 1500 Software Controller Cpu 1507S F V3 Simatic S7 1500 Software Controller Cpu 1507S F V4 Simatic S7 1500 Software Controller Cpu 1507S V2 Simatic S7 1500 Software Controller Cpu 1507S V3 Simatic S7 1500 Software Controller Cpu 1507S V4 Simatic S7 1500 Software Controller Cpu 1508S F V2 Simatic S7 1500 Software Controller Cpu 1508S F V3 Simatic S7 1500 Software Controller Cpu 1508S F V4 Simatic S7 1500 Software Controller Cpu 1508S T V3 Simatic S7 1500 Software Controller Cpu 1508S Tf V3 Simatic S7 1500 Software Controller Cpu 1508S V2 Simatic S7 1500 Software Controller Cpu 1508S V3 Simatic S7 1500 Software Controller Cpu 1508S V4 Simatic S7 1500 Software Controller Linux V2 Simatic S7 1500 Software Controller Linux V3 Simatic S7 Plcsim Advanced Siplus Et 200Sp Cpu 1510Sp F 1 Pn Siplus Et 200Sp Cpu 1510Sp F 1 Pn Rail Siplus Et 200Sp Cpu 1510Sp 1 Pn Siplus Et 200Sp Cpu 1510Sp 1 Pn Rail Siplus Et 200Sp Cpu 1512Sp F 1 Pn Siplus Et 200Sp Cpu 1512Sp F 1 Pn Rail Siplus Et 200Sp Cpu 1512Sp 1 Pn Siplus Et 200Sp Cpu 1512Sp 1 Pn Rail Siplus S7 1500 Cpu 1511 1 Pn Siplus S7 1500 Cpu 1511 1 Pn T1 Rail Siplus S7 1500 Cpu 1511 1 Pn Tx Rail Siplus S7 1500 Cpu 1511F 1 Pn Siplus S7 1500 Cpu 1513 1 Pn Siplus S7 1500 Cpu 1513F 1 Pn Siplus S7 1500 Cpu 1515F 2 Pn Siplus S7 1500 Cpu 1515F 2 Pn Rail Siplus S7 1500 Cpu 1515F 2 Pn T2 Rail Siplus S7 1500 Cpu 1516 3 Pn Dp Siplus S7 1500 Cpu 1516 3 Pn Dp Rail Siplus S7 1500 Cpu 1516 3 Pn Dp Tx Rail Siplus S7 1500 Cpu 1516F 3 Pn Dp Siplus S7 1500 Cpu 1516F 3 Pn Dp Rail Siplus S7 1500 Cpu 1518 4 Pn Dp Siplus S7 1500 Cpu 1518 4 Pn Dp Mfp Siplus S7 1500 Cpu 1518F 4 Pn Dp
7.2
CVSS 4.0 · Vendor: siemens
Share

Severity by source

Vendor (siemens) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (siemens) · only source for this CVE.

CVSS VectorVendor: siemens

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 12, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 10:22 NVD
7.1 (HIGH) 7.2 (HIGH)
Analysis Generated
May 12, 2026 - 10:03 vuln.today
CVE Published
May 12, 2026 - 08:21 nvd
HIGH 7.1

DescriptionCVE.org

Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the authenticated user's session without requiring the file to be uploaded, potentially leading to session hijacking or credential theft.

AnalysisAI

Cross-site scripting (XSS) in Siemens SIMATIC S7-1500 PLC family firmware upload interface allows authenticated attackers to execute malicious JavaScript in administrator sessions via crafted filenames. This stored XSS requires social engineering to trick authenticated users into selecting the attacker-supplied firmware file on the web-based management interface. Successful exploitation enables session hijacking and credential theft without requiring the malicious file to be uploaded. EPSS data not provided, no CISA KEV status confirmed, affecting industrial automation controllers widely deployed in critical infrastructure environments.

Technical ContextAI

This vulnerability stems from improper input validation (CWE-79: Cross-Site Scripting) in the web-based firmware update interface of Siemens SIMATIC controllers. The affected product line includes S7-1500 CPUs, ET 200SP distributed I/O controllers, SIMATIC Drive Controllers, and Software Controllers running on Linux. These are programmable logic controllers (PLCs) used in industrial automation and SCADA systems. The firmware update mechanism accepts user-supplied filenames without proper sanitization, allowing JavaScript injection through specially crafted filename strings. When an authenticated administrator views the firmware selection interface, the unsanitized filename is rendered in their browser context, triggering script execution. The CPE strings indicate broad impact across multiple hardware variants (CPU models 1510SP through 1518, including safety-rated F-variants and technology T-variants) and virtualized software controller implementations. This affects both current-generation V3/V4 firmware and legacy V2 systems.

RemediationAI

Apply firmware updates as specified in Siemens ProductCERT advisory SSA-688146 available at https://cert-portal.siemens.com/productcert/html/ssa-688146.html. The advisory provides specific patched firmware versions for each affected CPU model and variant. Until patching is completed, implement strict administrative controls limiting firmware update operations to trusted personnel only, enforce multi-person approval processes for firmware changes, and conduct security awareness training emphasizing risks of selecting files from untrusted sources during firmware updates. Network segmentation should isolate PLC management interfaces from general corporate networks using dedicated management VLANs or jump hosts with enhanced monitoring. Disable web-based management interfaces if command-line or TIA Portal-based firmware update methods are available and preferred in your environment. Monitor authentication logs and firmware update attempts for suspicious patterns. Note that disabling web interfaces may impact operational convenience and remote management capabilities, requiring assessment of operational trade-offs. As this is a stored XSS requiring file interaction rather than automated exploitation, behavioral controls and user training provide meaningful risk reduction while patches are being deployed across industrial environments where change windows are limited.

Share

CVE-2026-25789 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy