1. EXECUTIVE SUMMARY
- CVSS v4 7.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Schneider Electric
- Equipment: Modicon Controllers
- Vulnerabilities: Improper Input Validation, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the device or cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
- Modicon Controllers M241: Versions prior to 5.3.12.51
- Modicon Controllers M251: Versions prior to 5.3.12.51
- Modicon Controllers M262: Versions prior to 5.3.9.18 (CVE-2025-3898, CVE-2025-3117)
- Modicon Controllers M258: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117)
- Modicon Controllers LMC058: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117)
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER INPUT VALIDATION CWE-20
An improper input validation vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends an HTTPS request containing invalid data type to the webserver.
CVE-2025-3898 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3898. A base score of 7.1 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories