CVE-2025-13902
Cross-site Scripting in Web Server Enables Arbitrary JavaScript Execution
Publication date: 2026-03-10
Last updated on: 2026-03-10
Assigner: Schneider Electric SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| schneider_electric | modicon_controllers_m241 | to 5.4.13.12 (exc) |
| schneider_electric | modicon_controllers_m251 | to 5.4.13.12 (exc) |
| schneider_electric | modicon_controllers_m258 | * |
| schneider_electric | lmc058 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability is a Cross-site Scripting (XSS) issue classified as CWE-79, found in Schneider Electric's Modicon Controllers M241, M251, M258, and LMC058 products. It allows authenticated attackers to inject malicious JavaScript code that executes in a victim's browser when the victim hovers over a specially crafted element on a compromised web server."}, {'type': 'paragraph', 'content': "The attack requires the attacker to have some level of authentication and involves user interaction (hovering over the malicious element). The vulnerability can lead to arbitrary code execution within the victim's browser."}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary JavaScript code in your browser, potentially leading to account takeover or unauthorized actions performed in your browser context.
Since the affected devices are Programmable Logic Controllers used in performance-demanding applications, exploitation could compromise the integrity and confidentiality of control systems, possibly affecting operational processes.
The vulnerability has a medium severity score (CVSS v4.0 base score of 5.1) and requires low privileges and user interaction, meaning it is moderately easy to exploit if the attacker is authenticated.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves Cross-site Scripting (CWE-79) in Schneider Electric Modicon Controllers M241, M251, M258, and LMC058, which allows authenticated attackers to execute arbitrary JavaScript when a victim interacts with a malicious element on the web server.
Detection involves identifying if your system is running affected firmware versions (prior to 5.4.13.12 for M241 and M251, and all versions for M258 and LMC058).
While specific commands are not provided in the available resources, general detection steps include:
- Checking the firmware version of your Modicon controllers to confirm if they are vulnerable.
- Monitoring HTTP/HTTPS traffic to and from the controllers for suspicious payloads or unusual JavaScript injections.
- Using web vulnerability scanners or manual testing to attempt XSS payload injection on the web interface of the controllers.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps recommended by Schneider Electric include:
- Update the firmware of affected Modicon M241 and M251 controllers to version 5.4.13.12 or later using EcoStruxureβ’ Machine Expert software version 2.5.0.1.
- If patching is not immediately possible, operate controllers in protected environments with no exposure to public or untrusted networks.
- Enforce user management and strong password policies.
- Disable the webserver on the controllers when it is not in use.
- Use encrypted communication channels.
- Implement network segmentation and firewalls to block unauthorized access to HTTP (port 80) and HTTPS (port 443).
- Employ VPN tunnels for remote access.
- Follow product-specific hardening guidelines as per Schneider Electricβs cybersecurity documentation.