CVE-2026-25786

Siemens · SIMATIC S7-1500 / TIA Portal (via "communication" parameters)

A stored cross-site scripting (XSS) vulnerability exists on the "communication" parameters page of the web interface, allowing authenticated attackers to inject malicious scripts.

Executive summary

An authenticated stored XSS vulnerability in the communication parameters page allows attackers to execute malicious scripts in the context of other users' web sessions.

Vulnerability

The application does not properly validate or sanitize PLC/station names rendered on the "communication" parameters page. An authenticated attacker authorized to download TIA projects can inject scripts that execute within the web session of any user viewing the page.

Business impact

The CVSS score of 9.1 underscores the critical nature of this flaw, as it facilitates the compromise of user sessions. Successful exploitation can lead to unauthorized access to system parameters and potential manipulation of industrial communication settings, impacting operational integrity.

Remediation

Immediate Action: Apply the latest firmware or software updates released by the vendor to resolve the input validation issue.

Proactive Monitoring: Review web interface logs for suspicious activity and monitor for any unauthorized modifications to PLC or station names.

Compensating Controls: Implement strict role-based access control (RBAC) to limit the number of users who can download TIA projects to the device.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Maintaining the integrity of the web management interface is essential for system security. Organizations must ensure that all relevant patches are applied to prevent the execution of malicious scripts and restrict project-level access to trusted, authenticated users only.