CVE-2025-13970
CSRF Vulnerability in OpenPLC_V3 Enables Unauthorized PLC Control
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openplc | openplc | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenPLC_V3 is a cross-site request forgery (CSRF) attack caused by the lack of proper CSRF validation. It allows an unauthenticated attacker to trick a logged-in administrator into clicking a malicious link, which can lead to unauthorized changes to PLC settings or uploading malicious programs.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized modification of PLC settings or the upload of malicious programs, potentially causing significant disruption or damage to connected systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately implement proper CSRF protections such as CSRF tokens in the OpenPLC_V3 web interface. Additionally, restrict access to the administrative interface to trusted networks and users only, and educate administrators to avoid clicking on suspicious links while logged in. Applying any available patches or updates from the vendor is also recommended.