Cross‑Site Scripting in Schneider Electric Modicon Controllers (CVE‑2025‑13902) Threatens Industrial Operations
What It Is – A reflected Cross‑Site Scripting (XSS) flaw (CVE‑2025‑13902) exists in the web interface of Schneider Electric’s Modicon M241, M251, M258 and LMC058 PLC controllers. An authenticated attacker can inject JavaScript that executes in a victim’s browser when the user interacts with a crafted page element.
Exploitability – The vulnerability is publicly disclosed and has a CVSS v3.1 base score of 5.4 (Moderate). No public exploit code has been released, but the attack vector is straightforward for anyone with valid credentials to the controller’s web UI.
Affected Products –
- Modicon M241 firmware < 5.4.13.12
- Modicon M251 firmware < 5.4.13.12
- All firmware versions of Modicon M258
- All firmware versions of Modicon LMC058
TPRM Impact – These controllers are embedded in critical‑infrastructure environments (commercial facilities, critical manufacturing, energy). A successful XSS chain can lead to credential theft, unauthorized configuration changes, or lateral movement into OT networks, exposing downstream customers to service disruption and safety incidents.
Recommended Actions –
- Patch immediately – Apply Schneider Electric’s firmware update to version 5.4.13.12 (or later) for M241/M251; upgrade M258/LMC058 to the latest available release.
- Restrict web UI access – Limit access to trusted IP ranges, enforce multi‑factor authentication, and disable internet‑facing exposure.
- Web‑application hardening – Deploy a web‑application firewall (WAF) with XSS rules for the controller’s management interface.
- Monitor for anomalous activity – Enable logging of web UI sessions and alert on unexpected JavaScript payloads or redirects.
- Supply‑chain review – Verify that any third‑party systems that integrate with the affected controllers are also patched or isolated.
Source: CISA Advisory – ICSA‑26‑078‑02