External risk intelligence

Siemens PLCs could allow internal attacker to compromise user web sessions.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-25786

Siemens PLCs have a flaw allowing an internal attacker to inject code into the web interface. If a legitimate user accesses the device, the attacker can hijack their session to modify critical operational settings or gain unauthorized control over the industrial system.

1Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-25786

This vulnerability affects Programmable Logic Controllers (PLCs), which are specialized industrial devices deployed within isolated operational technology or internal manufacturing networks. They are not intended for public internet exposure, and the attack path requires authorized access to an engineering environment to deploy projects, keeping this surface restricted and internal.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This issue impacts Siemens industrial devices that use a web interface. An attacker with project download access could inject malicious code into a specific page. If another authorized user views that page, the code runs within their browser session, potentially leading to unauthorized actions.

  • Requires authenticated access.
  • Targets user's browser.
  • Impacts web interface.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access to download a TIA project can inject malicious scripts into the web interface by manipulating PLC/station names. When a legitimate user with the right permissions views the communication parameters page, the script executes within their browser session, potentially leading to further compromise.

  • Requires authenticated access.
  • Targets the web interface.
  • User must view the page.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to weaponize this CVE. The vulnerability requires authenticated access and the ability to download projects into a Siemens PLC, making exploitation difficult outside of targeted environments. The specialized nature and limited exposure of PLCs further reduce their attractiveness for broad attacks.

  • Exploitation requires authenticated access.
  • Vulnerability affects isolated industrial devices.
  • No public exploit or KEV signals observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize investigating which PLC devices are exposed and if authenticated users with download privileges exist. This vulnerability could allow an attacker to inject malicious scripts, leading to session hijacking for users who access the communication parameters page.

  • Isolate or take affected services offline.
  • Monitor for suspicious web traffic patterns.
  • Restrict access to project download functionality.

Frequently asked questions

What is the software context for CVE-2026-25786, affecting Siemens devices?

CVE-2026-25786 impacts Siemens industrial devices featuring a web interface. The vulnerability lies in how these devices validate and sanitize PLC/station names displayed on the 'communication' parameters page. This could allow an authenticated attacker to inject malicious scripts into the web interface.

How is CVE-2026-25786 decoded, and what is its weakness class?

This vulnerability is a cross-site scripting (XSS) issue, specifically CWE-79. An authenticated attacker can inject malicious scripts into the 'communication' parameters page by manipulating PLC/station names. The weakness allows for script injection into user-facing web pages.

What is the trigger path for CVE-2026-25786, and is there scope negation?

The trigger path involves an authenticated attacker who can download a TIA project into the product. By injecting malicious scripts into the PLC/station name, the attacker prepares the vulnerability. The malicious code executes in the scope of a benign user's web session when they access the 'communication' parameters page.

What is the relevance of CVE-2026-25786, considering Halo Surface Signal?

According to Halo Surface Signal, this vulnerability is 'Very unlikely' to be exploited externally. It affects Programmable Logic Controllers (PLCs) typically found in isolated industrial networks, not publicly exposed. The attack also requires authenticated access to download projects, limiting its surface.

What is the practical response for organizations dealing with CVE-2026-25786?

Organizations should investigate the exposure of PLC devices and the presence of authenticated users with download privileges. Potential responses include isolating affected services or taking them offline, monitoring for suspicious web traffic, and restricting access to project download functionalities to mitigate the risk of script injection and session compromise.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished