Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (siemens) · only source for this CVE.
CVSS VectorVendor: siemens
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the authenticated user's session without requiring the file to be uploaded, potentially leading to session hijacking or credential theft.
AnalysisAI
Cross-site scripting (XSS) in Siemens SIMATIC S7-1500 PLC family firmware upload interface allows authenticated attackers to execute malicious JavaScript in administrator sessions via crafted filenames. This stored XSS requires social engineering to trick authenticated users into selecting the attacker-supplied firmware file on the web-based management interface. Successful exploitation enables session hijacking and credential theft without requiring the malicious file to be uploaded. EPSS data not provided, no CISA KEV status confirmed, affecting industrial automation controllers widely deployed in critical infrastructure environments.
Technical ContextAI
This vulnerability stems from improper input validation (CWE-79: Cross-Site Scripting) in the web-based firmware update interface of Siemens SIMATIC controllers. The affected product line includes S7-1500 CPUs, ET 200SP distributed I/O controllers, SIMATIC Drive Controllers, and Software Controllers running on Linux. These are programmable logic controllers (PLCs) used in industrial automation and SCADA systems. The firmware update mechanism accepts user-supplied filenames without proper sanitization, allowing JavaScript injection through specially crafted filename strings. When an authenticated administrator views the firmware selection interface, the unsanitized filename is rendered in their browser context, triggering script execution. The CPE strings indicate broad impact across multiple hardware variants (CPU models 1510SP through 1518, including safety-rated F-variants and technology T-variants) and virtualized software controller implementations. This affects both current-generation V3/V4 firmware and legacy V2 systems.
RemediationAI
Apply firmware updates as specified in Siemens ProductCERT advisory SSA-688146 available at https://cert-portal.siemens.com/productcert/html/ssa-688146.html. The advisory provides specific patched firmware versions for each affected CPU model and variant. Until patching is completed, implement strict administrative controls limiting firmware update operations to trusted personnel only, enforce multi-person approval processes for firmware changes, and conduct security awareness training emphasizing risks of selecting files from untrusted sources during firmware updates. Network segmentation should isolate PLC management interfaces from general corporate networks using dedicated management VLANs or jump hosts with enhanced monitoring. Disable web-based management interfaces if command-line or TIA Portal-based firmware update methods are available and preferred in your environment. Monitor authentication logs and firmware update attempts for suspicious patterns. Note that disabling web interfaces may impact operational convenience and remote management capabilities, requiring assessment of operational trade-offs. As this is a stored XSS requiring file interaction rather than automated exploitation, behavioral controls and user training provide meaningful risk reduction while patches are being deployed across industrial environments where change windows are limited.
Stored cross-site scripting (XSS) in Siemens SIMATIC S7-1500 and ET 200SP controller families allows authenticated attac
Stored cross-site scripting in Siemens SIMATIC S7-1500 controller family web interface allows authenticated high-privile
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29428
GHSA-r662-c7v7-m9h4