ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-25786 Stored XSS in Siemens SIMATIC S7 PLC Web Interface

A brief summary of CVE-2026-25786, a high severity stored cross site scripting vulnerability in Siemens SIMATIC S7 PLC web servers that allows authenticated attackers to inject malicious scripts via crafted TIA project names, impacting sessions of other privileged users.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-25786 Stored XSS in Siemens SIMATIC S7 PLC Web Interface
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A stored cross site scripting vulnerability in the embedded web server of Siemens SIMATIC S7 PLCs allows an attacker with engineering access to plant malicious JavaScript that fires in the browser of any operator who views a specific configuration page. With a CVSS v3.1 score of 9.1 and a scope change that extends impact beyond the PLC itself, CVE-2026-25786 represents a meaningful risk to industrial environments where web based PLC management is in use, particularly given that several affected product variants will never receive a fix.

Technical Information

The root cause of CVE-2026-25786 is classified under CWE 79: Improper Neutralization of Input During Web Page Generation. Affected SIMATIC S7 devices fail to properly validate and sanitize the PLC or station name when it is rendered on the "communication parameters" page of the embedded web interface. User controlled input, specifically the project name configured in TIA Portal, is reflected into the HTML of the web page without adequate encoding or escaping.

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, and the CVSS v4.0 vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. The scope change (S:C in v3.1) is particularly significant: the vulnerable component is the PLC web server, but the impacted component is the browser session of the victim user, which operates in a different trust boundary.

Attack Flow

The exploitation path proceeds through the following stages:

  1. Attacker prerequisites: The attacker must hold valid credentials and authorization to download a TIA project into the target PLC. This is a privileged operation, but in many industrial environments, engineering workstation access is shared or insufficiently segmented.

  2. Payload crafting: The attacker creates a TIA project containing a malicious PLC or station name that includes JavaScript or other script content. This payload is embedded within the project metadata rather than injected through the web interface directly.

  3. Project deployment: The attacker downloads (deploys) the crafted TIA project to the target SIMATIC S7 device using TIA Portal. The malicious station name is now persistently stored on the PLC.

  4. Victim trigger: When any user with appropriate rights navigates to the communication parameters page of the PLC web interface, the web server renders the station name without proper sanitization. The injected script executes within the scope of the victim's authenticated web session.

  5. Impact realization: Because the code runs with the victim's session context, the attacker can perform actions on behalf of the victim. This session scoped execution can impact confidentiality, integrity, and availability at high levels per the published CVSS vectors. Potential actions include reading sensitive configuration data, modifying PLC parameters, or disrupting operations.

This is a classic stored (persistent) XSS pattern, but the injection vector is unusual: the payload enters through the engineering tool (TIA Portal) rather than through the web interface itself. This makes traditional web application firewalls or input validation at the HTTP layer ineffective as a sole defense.

Sibling Vulnerabilities

The Siemens advisory SSA 688146 also documents related vulnerabilities with similar mechanics. CVE-2026-25787 targets the Technology Object name rendered on the Motion Control Diagnostics page, while CVE-2026-25789 targets filenames on the Firmware Update page. All three share the same fundamental weakness: trusting project or file metadata to be safe for rendering in HTML without sanitization.

Affected Systems and Versions

The advisory covers a broad set of SIMATIC S7 1500 and ET 200SP variants. The remediation landscape is uneven across product families:

Product FamilyAffected VersionsRemediation StatusTarget Version
SIMATIC Drive Controller CPU 1504D TFAll versions prior to V3.1.6Update availableV3.1.6 or later
SIMATIC ET 200SP CPU 1510SP F 1 PNAll versions prior to V2.9.9Update availableV2.9.9 or later
SIMATIC S7 1500 CPU 1513 1 PNAll versionsCurrently no fix is plannedNone
SIMATIC S7 PLCSIM AdvancedAll versionsCurrently no fix is availableNone

This table represents a subset of the affected products listed in the full advisory. Organizations should consult SSA 688146 directly for the complete product list and corresponding remediation statuses.

For devices where updates are available, Siemens recommends updating to V2.9.9 or V3.1.6 depending on the product family. For devices where no fix is planned, compensating controls are mandatory. Siemens specifically recommends restricting TIA project download to trusted personnel only as the primary mitigation for CVE-2026-25786 and CVE-2026-25787. For CVE-2026-25789, organizations must restrict access to the firmware update function right to instructed personnel.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms and configuring the environment according to their operational guidelines for Industrial Security.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization