Skip to main content

SIMATIC S7-1500 EUVDEUVD-2026-29426

| CVE-2026-25786 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-05-12 siemens
XSS Simatic Drive Controller Cpu 1504D Tf Simatic Drive Controller Cpu 1507D Tf Simatic Et 200Sp Cpu 1510Sp F 1 Pn Simatic Et 200Sp Cpu 1510Sp 1 Pn Simatic Et 200Sp Cpu 1512Sp F 1 Pn Simatic Et 200Sp Cpu 1512Sp 1 Pn Simatic Et 200Sp Cpu 1514Sp F 2 Pn Simatic Et 200Sp Cpu 1514Sp 2 Pn Simatic Et 200Sp Cpu 1514Spt F 2 Pn Simatic Et 200Sp Cpu 1514Spt 2 Pn Simatic Et 200Sp Open Controller Cpu 1515Sp Pc Incl Siplus Variants Simatic Et 200Sp Open Controller Cpu 1515Sp Pc2 Incl Siplus Variants V2 Cpus Simatic Et 200Sp Open Controller Cpu 1515Sp Pc2 Incl Siplus Variants V3 Cpus Simatic Et 200Sp Open Controller Cpu 1515Sp Pc3 V4 Cpus Simatic S7 1500 Cpu 1511 1 Pn Simatic S7 1500 Cpu 1511C 1 Pn Simatic S7 1500 Cpu 1511F 1 Pn Simatic S7 1500 Cpu 1511T 1 Pn Simatic S7 1500 Cpu 1511Tf 1 Pn Simatic S7 1500 Cpu 1512C 1 Pn Simatic S7 1500 Cpu 1513 1 Pn Simatic S7 1500 Cpu 1513F 1 Pn Simatic S7 1500 Cpu 1513Pro F 2 Pn Simatic S7 1500 Cpu 1513Pro 2 Pn Simatic S7 1500 Cpu 1515 2 Pn Simatic S7 1500 Cpu 1515F 2 Pn Simatic S7 1500 Cpu 1515T 2 Pn Simatic S7 1500 Cpu 1515Tf 2 Pn Simatic S7 1500 Cpu 1516 3 Pn Dp Simatic S7 1500 Cpu 1516F 3 Pn Dp Simatic S7 1500 Cpu 1516Pro F 2 Pn Simatic S7 1500 Cpu 1516Pro 2 Pn Simatic S7 1500 Cpu 1516T 3 Pn Simatic S7 1500 Cpu 1516T 3 Pn Dp Simatic S7 1500 Cpu 1516Tf 3 Pn Simatic S7 1500 Cpu 1516Tf 3 Pn Dp Simatic S7 1500 Cpu 1517 3 Pn Simatic S7 1500 Cpu 1517 3 Pn Dp Simatic S7 1500 Cpu 1517F 3 Pn Simatic S7 1500 Cpu 1517F 3 Pn Dp Simatic S7 1500 Cpu 1517T 3 Pn Simatic S7 1500 Cpu 1517T 3 Pn Dp Simatic S7 1500 Cpu 1517Tf 3 Pn Simatic S7 1500 Cpu 1517Tf 3 Pn Dp Simatic S7 1500 Cpu 1518 3 Pn Simatic S7 1500 Cpu 1518 4 Pn Dp Simatic S7 1500 Cpu 1518 4 Pn Dp Mfp Simatic S7 1500 Cpu 1518F 3 Pn Simatic S7 1500 Cpu 1518F 4 Pn Dp Simatic S7 1500 Cpu 1518F 4 Pn Dp Mfp Simatic S7 1500 Cpu 1518T 3 Pn Simatic S7 1500 Cpu 1518T 4 Pn Dp Simatic S7 1500 Cpu 1518Tf 3 Pn Simatic S7 1500 Cpu 1518Tf 4 Pn Dp Simatic S7 1500 Cpu S7 1518 4 Pn Dp Odk Simatic S7 1500 Cpu S7 1518F 4 Pn Dp Odk Simatic S7 1500 Et 200Pro Simatic S7 1500 Software Controller Cpu 1507S F V2 Simatic S7 1500 Software Controller Cpu 1507S F V3 Simatic S7 1500 Software Controller Cpu 1507S F V4 Simatic S7 1500 Software Controller Cpu 1507S V2 Simatic S7 1500 Software Controller Cpu 1507S V3 Simatic S7 1500 Software Controller Cpu 1507S V4 Simatic S7 1500 Software Controller Cpu 1508S F V2 Simatic S7 1500 Software Controller Cpu 1508S F V3 Simatic S7 1500 Software Controller Cpu 1508S F V4 Simatic S7 1500 Software Controller Cpu 1508S T V3 Simatic S7 1500 Software Controller Cpu 1508S Tf V3 Simatic S7 1500 Software Controller Cpu 1508S V2 Simatic S7 1500 Software Controller Cpu 1508S V3 Simatic S7 1500 Software Controller Cpu 1508S V4 Simatic S7 1500 Software Controller Linux V2 Simatic S7 1500 Software Controller Linux V3 Simatic S7 Plcsim Advanced Siplus Et 200Sp Cpu 1510Sp F 1 Pn Siplus Et 200Sp Cpu 1510Sp F 1 Pn Rail Siplus Et 200Sp Cpu 1510Sp 1 Pn Siplus Et 200Sp Cpu 1510Sp 1 Pn Rail Siplus Et 200Sp Cpu 1512Sp F 1 Pn Siplus Et 200Sp Cpu 1512Sp F 1 Pn Rail Siplus Et 200Sp Cpu 1512Sp 1 Pn Siplus Et 200Sp Cpu 1512Sp 1 Pn Rail Siplus S7 1500 Cpu 1511 1 Pn Siplus S7 1500 Cpu 1511 1 Pn T1 Rail Siplus S7 1500 Cpu 1511 1 Pn Tx Rail Siplus S7 1500 Cpu 1511F 1 Pn Siplus S7 1500 Cpu 1513 1 Pn Siplus S7 1500 Cpu 1513F 1 Pn Siplus S7 1500 Cpu 1515F 2 Pn Siplus S7 1500 Cpu 1515F 2 Pn Rail Siplus S7 1500 Cpu 1515F 2 Pn T2 Rail Siplus S7 1500 Cpu 1516 3 Pn Dp Siplus S7 1500 Cpu 1516 3 Pn Dp Rail Siplus S7 1500 Cpu 1516 3 Pn Dp Tx Rail Siplus S7 1500 Cpu 1516F 3 Pn Dp Siplus S7 1500 Cpu 1516F 3 Pn Dp Rail Siplus S7 1500 Cpu 1518 4 Pn Dp Siplus S7 1500 Cpu 1518 4 Pn Dp Mfp Siplus S7 1500 Cpu 1518F 4 Pn Dp
9.3
CVSS 4.0 · Vendor: siemens
Share

Severity by source

Vendor (siemens) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (siemens) · only source for this CVE.

CVSS VectorVendor: siemens

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 12, 2026 - 10:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 12, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 10:22 NVD
9.1 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
May 12, 2026 - 10:02 vuln.today
CVE Published
May 12, 2026 - 08:20 nvd
CRITICAL 9.1

DescriptionCVE.org

Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "communication" parameters page, the malicious code would be executed in the scope of their web session.

AnalysisAI

Stored cross-site scripting in Siemens SIMATIC S7-1500 controller family web interface allows authenticated high-privilege attackers to inject malicious code via crafted PLC/station names in TIA project files. When users with appropriate rights later access the communication parameters page, injected scripts execute in their session context with high impact to confidentiality, integrity, and availability across system boundaries (CVSS 9.3, CVSS:4.0 S:H). No public exploit identified at time of analysis, but CVSS vector indicates low attack complexity (AC:L) once attacker gains privileged project upload access.

Technical ContextAI

This is a stored/persistent XSS vulnerability (CWE-79) affecting the web-based management interface of Siemens SIMATIC S7-1500 programmable logic controllers, SIMATIC ET 200SP CPUs, Drive Controllers, Software Controllers, and S7-PLCSIM Advanced simulation software. The affected products use TIA Portal (Totally Integrated Automation Portal) for engineering and configuration. When project configurations containing PLC or station names are downloaded to the device, these names are rendered on the 'communication' parameters page without proper sanitization. The vulnerability stems from inadequate input validation of user-supplied metadata fields in TIA project files. The CVSS 4.0 vector SC:H/SI:H/SA:H indicates exploitation can compromise confidentiality, integrity, and availability of subsequent system components beyond the vulnerable web interface itself, suggesting potential lateral movement or session hijacking scenarios within industrial control networks.

RemediationAI

Apply firmware updates per Siemens ProductCERT advisory SSA-688146 (https://cert-portal.siemens.com/productcert/html/ssa-688146.html). Based on EUVD version data, fixed firmware versions include V2.9.9 or later for S7-1500 CPU 151x-1PN models, ET 200SP 1510/1512SP variants, and 1511C/1512C compact CPUs; V3.1.6 or later for S7-1500 CPU 1516/1517/1518 -3PN/DP and -4PN/DP models and Drive Controller 1504D/1507D TF variants. For product lines showing open-ended vulnerability ranges, contact Siemens support to confirm patch availability and compatibility with existing TIA Portal projects. Compensating controls until patching: restrict TIA Portal project download permissions to verified personnel only via role-based access control; implement mandatory code review of all TIA project files before deployment using static analysis tools to detect suspicious scripting in metadata fields; isolate engineering workstations accessing PLC web interfaces on dedicated VLANs without internet access; disable web server functionality on PLCs if HMI/SCADA provides sufficient monitoring (note: this prevents local diagnostics and may complicate troubleshooting); log all access to communication parameter pages and correlate with authorized maintenance windows to detect post-compromise reconnaissance. Trade-off: disabling web interface eliminates attack surface but requires alternative remote access methods (TIA Portal direct connection) increasing operational overhead.

Share

EUVD-2026-29426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy