Introduction
A stored cross site scripting vulnerability in the embedded web server of Siemens SIMATIC S7 PLCs allows an attacker with engineering access to plant malicious JavaScript that fires in the browser of any operator who views a specific configuration page. With a CVSS v3.1 score of 9.1 and a scope change that extends impact beyond the PLC itself, CVE-2026-25786 represents a meaningful risk to industrial environments where web based PLC management is in use, particularly given that several affected product variants will never receive a fix.
Technical Information
The root cause of CVE-2026-25786 is classified under CWE 79: Improper Neutralization of Input During Web Page Generation. Affected SIMATIC S7 devices fail to properly validate and sanitize the PLC or station name when it is rendered on the "communication parameters" page of the embedded web interface. User controlled input, specifically the project name configured in TIA Portal, is reflected into the HTML of the web page without adequate encoding or escaping.
The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, and the CVSS v4.0 vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. The scope change (S:C in v3.1) is particularly significant: the vulnerable component is the PLC web server, but the impacted component is the browser session of the victim user, which operates in a different trust boundary.
Attack Flow
The exploitation path proceeds through the following stages:
-
Attacker prerequisites: The attacker must hold valid credentials and authorization to download a TIA project into the target PLC. This is a privileged operation, but in many industrial environments, engineering workstation access is shared or insufficiently segmented.
-
Payload crafting: The attacker creates a TIA project containing a malicious PLC or station name that includes JavaScript or other script content. This payload is embedded within the project metadata rather than injected through the web interface directly.
-
Project deployment: The attacker downloads (deploys) the crafted TIA project to the target SIMATIC S7 device using TIA Portal. The malicious station name is now persistently stored on the PLC.
-
Victim trigger: When any user with appropriate rights navigates to the communication parameters page of the PLC web interface, the web server renders the station name without proper sanitization. The injected script executes within the scope of the victim's authenticated web session.
-
Impact realization: Because the code runs with the victim's session context, the attacker can perform actions on behalf of the victim. This session scoped execution can impact confidentiality, integrity, and availability at high levels per the published CVSS vectors. Potential actions include reading sensitive configuration data, modifying PLC parameters, or disrupting operations.
This is a classic stored (persistent) XSS pattern, but the injection vector is unusual: the payload enters through the engineering tool (TIA Portal) rather than through the web interface itself. This makes traditional web application firewalls or input validation at the HTTP layer ineffective as a sole defense.
Sibling Vulnerabilities
The Siemens advisory SSA 688146 also documents related vulnerabilities with similar mechanics. CVE-2026-25787 targets the Technology Object name rendered on the Motion Control Diagnostics page, while CVE-2026-25789 targets filenames on the Firmware Update page. All three share the same fundamental weakness: trusting project or file metadata to be safe for rendering in HTML without sanitization.
Affected Systems and Versions
The advisory covers a broad set of SIMATIC S7 1500 and ET 200SP variants. The remediation landscape is uneven across product families:
| Product Family | Affected Versions | Remediation Status | Target Version |
|---|---|---|---|
| SIMATIC Drive Controller CPU 1504D TF | All versions prior to V3.1.6 | Update available | V3.1.6 or later |
| SIMATIC ET 200SP CPU 1510SP F 1 PN | All versions prior to V2.9.9 | Update available | V2.9.9 or later |
| SIMATIC S7 1500 CPU 1513 1 PN | All versions | Currently no fix is planned | None |
| SIMATIC S7 PLCSIM Advanced | All versions | Currently no fix is available | None |
This table represents a subset of the affected products listed in the full advisory. Organizations should consult SSA 688146 directly for the complete product list and corresponding remediation statuses.
For devices where updates are available, Siemens recommends updating to V2.9.9 or V3.1.6 depending on the product family. For devices where no fix is planned, compensating controls are mandatory. Siemens specifically recommends restricting TIA project download to trusted personnel only as the primary mitigation for CVE-2026-25786 and CVE-2026-25787. For CVE-2026-25789, organizations must restrict access to the firmware update function right to instructed personnel.
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms and configuring the environment according to their operational guidelines for Industrial Security.



