Siemens SIMATIC Drive Controller
0 remedies
0 remedies
Siemens SIMATIC S7 PLCs Cross-Site Scripting Vulnerability in Web Interface
Vulnerability
A cross-site scripting vulnerability has been identified in Siemens SIMATIC S7-1500 PLCs, including related ET 200 CPUs and SIPLUS variants. The issue arises because affected devices do not properly validate and sanitize Technology Object names displayed on the 'Motion Control Diagnostics' page of the web interface. This flaw could enable an authenticated attacker, authorized to download a TIA project, to inject malicious scripts. If a user with the appropriate rights accesses the 'Motion Control Diagnostics' parameters page, the injected code would execute within their web session.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's web session, potentially leading to session hijacking or credential theft.
Remediation
Siemens recommends restricting TIA project downloads to trusted personnel only. For specific product remediations, consult the Siemens Security Advisory SSA-688146.
Added: May 12, 2026, 10:30 AM
Updated: May 12, 2026, 10:30 AM
Vulnerability Rating
Custom Algorithm
spread
5.7impact
1.7exploitability
3.2remediation
7.9relevance
8.1threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.