Summary
Successful exploitation of this vulnerability may risk a Cross-site Scripting or an open redirect attack which could result in an account takeover scenario or the execution of code in the user browser.
The following versions of Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 are affected:
- Modicon M241 versions prior to 5.4.13.12 Modicon_Controller_M241
- Modicon M251 versions prior to 5.4.13.12 Modicon_Controller_M251
- Modicon Controllers M258 all firmware versions Modicon_Controllers_M258
- Modicon Controllers LMC058 all firmware versions Modicon_Controllers_LMC058
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 5.4 | Schneider Electric | Schneider Electric Modicon Controllers M241, M251, M258, and LMC058 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
Background
- Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: France
Vulnerabilities
CVE-2025-13902
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability exists that could cause condition where authenticated attackers can have a victim’s browser run arbitrary JavaScript when the victim hovers over a maliciously crafted element on a web server containing the injected payload.
Affected Products
Schneider Electric Modicon Controllers M241, M251, M258, and LMC058
Schneider Electric
Schneider Electric Modicon M241 versions prior to 5.4.13.12: Modicon_Controller_M241, Schneider Electric Modicon M251 versions prior to 5.4.13.12: Modicon_Controller_M251, Schneider Electric Modicon Controllers M258 all firmware versions: Modicon_Controllers_M258, Schneider Electric Modicon Controllers LMC058 all firmware versions: Modicon_Controllers_LMC058
known_affected
Remediations
Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/, https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER.
https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/
Mitigation
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk: Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/. On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/. Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/docum
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: