CVE-2025-13902
Received Received - Intake
Cross-site Scripting in Web Server Enables Arbitrary JavaScript Execution

Publication date: 2026-03-10

Last updated on: 2026-03-10

Assigner: Schneider Electric SE

Description
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13902
EUVD
EUVD-2025-208500
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
schneider_electric modicon_controllers_m241 to 5.4.13.12 (exc)
schneider_electric modicon_controllers_m251 to 5.4.13.12 (exc)
schneider_electric modicon_controllers_m258 *
schneider_electric lmc058 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability is a Cross-site Scripting (XSS) issue classified as CWE-79, found in Schneider Electric's Modicon Controllers M241, M251, M258, and LMC058 products. It allows authenticated attackers to inject malicious JavaScript code that executes in a victim's browser when the victim hovers over a specially crafted element on a compromised web server."}, {'type': 'paragraph', 'content': "The attack requires the attacker to have some level of authentication and involves user interaction (hovering over the malicious element). The vulnerability can lead to arbitrary code execution within the victim's browser."}] [1]

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code in your browser, potentially leading to account takeover or unauthorized actions performed in your browser context.

Since the affected devices are Programmable Logic Controllers used in performance-demanding applications, exploitation could compromise the integrity and confidentiality of control systems, possibly affecting operational processes.

The vulnerability has a medium severity score (CVSS v4.0 base score of 5.1) and requires low privileges and user interaction, meaning it is moderately easy to exploit if the attacker is authenticated.

Compliance Impact

I don't know

Detection Guidance

The vulnerability involves Cross-site Scripting (CWE-79) in Schneider Electric Modicon Controllers M241, M251, M258, and LMC058, which allows authenticated attackers to execute arbitrary JavaScript when a victim interacts with a malicious element on the web server.

Detection involves identifying if your system is running affected firmware versions (prior to 5.4.13.12 for M241 and M251, and all versions for M258 and LMC058).

While specific commands are not provided in the available resources, general detection steps include:

  • Checking the firmware version of your Modicon controllers to confirm if they are vulnerable.
  • Monitoring HTTP/HTTPS traffic to and from the controllers for suspicious payloads or unusual JavaScript injections.
  • Using web vulnerability scanners or manual testing to attempt XSS payload injection on the web interface of the controllers.
Mitigation Strategies

Immediate mitigation steps recommended by Schneider Electric include:

  • Update the firmware of affected Modicon M241 and M251 controllers to version 5.4.13.12 or later using EcoStruxureβ„’ Machine Expert software version 2.5.0.1.
  • If patching is not immediately possible, operate controllers in protected environments with no exposure to public or untrusted networks.
  • Enforce user management and strong password policies.
  • Disable the webserver on the controllers when it is not in use.
  • Use encrypted communication channels.
  • Implement network segmentation and firewalls to block unauthorized access to HTTP (port 80) and HTTPS (port 443).
  • Employ VPN tunnels for remote access.
  • Follow product-specific hardening guidelines as per Schneider Electric’s cybersecurity documentation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13902. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart