IM
IronMonkey Threat Research
‹ Back to ICS Advisories

SSA-688146: Multiple Cross-Site Scripting Vulnerabilities in SIMATIC S7 PLCs Web Server

CRITICAL
CVSS 9.1
Date 2026-07-14T00:00:00+00:00
Source siemens-productcert
Published by Siemens ProductCERT

// Description

SIMATIC S7 PLCs contain multiple vulnerabilities in the web server that could allow an attacker to perform cross-site scripting attacks. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.

// Vulnerabilities (3)

CVE ID CVSS Score Severity Description
CVE-2026-25786 9.1 critical
CVE-2026-25786. Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "communication" parameters page, the malicious code would be executed in the scope of their web session.
CVE-2026-25787 9.1 critical
CVE-2026-25787. Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "Motion Control Diagnostics" parameters page, the malicious code would be executed in the scope of their web session.
CVE-2026-25789 7.1 high
CVE-2026-25789. Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the authenticated user's session without requiring the file to be uploaded, potentially leading to session hijacking or credential theft.

// Affected Products (98)

Vendor Product Asset Type Purdue Level Firmware
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--

// Remediations (8)

Patch: Update to V3.1.6 or later version
Update to V3.1.6 or later version
Patch: Update to V2.9.9 or later version
Update to V2.9.9 or later version
Patch: Update to V3.1.6 or later version
Update to V3.1.6 or later version
Mitigation: Restrict access to the function right "firmware update" to instructed personnel.
Restrict access to the function right "firmware update" to instructed personnel.
Patch: Update to V4.1.6 or later version
Update to V4.1.6 or later version
Patch: Update to V2.9.9 or later version
Update to V2.9.9 or later version
Mitigation: Restrict access to the function right "firmware update" to instructed personnel.
Restrict access to the function right "firmware update" to instructed personnel.
Patch: Update to V3.1.6 or later version
Update to V3.1.6 or later version

// References