External risk intelligence

Siemens PLC web interface could allow authorized users to compromise other users' web sessions.

The web interface of Siemens PLC industrial devices could allow an authenticated individual with project-loading access to inject malicious scripts, potentially compromising admin access or operational systems by masquerading as a legitimate user. This risk is limited to internal environments and is not currently bein…

NVD published May 12, 2026 (3 days ago)

External risk briefCRITICAL

CVE-2026-25786

Halo Surface Signal

2/ 5

This vulnerability involves the web interface of industrial PLCs typically deployed within restricted, internal operational environments. While these interfaces are network-accessible within local segments, they are not intended for and are uncommonly exposed to the public internet. Access is generally confined to internal network users with specific administrative permissions.

Exposure facts

CVSS

9.3

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS

0.04%

H – Horizon Alert

A security vulnerability has been identified within the web interface of certain industrial devices involving the improper handling of specific system input data. This flaw could allow an authenticated individual with project-loading access to inject malicious scripts that execute when a subsequent user interacts with the compromised page. This is significant because it could enable unauthorized actions to be performed within the management interface while masquerading as a legitimate, authenticated user.

A – Asset Exposure

This vulnerability affects the web interface of industrial devices used to manage PLC and station configurations. These systems are typically deployed within restricted operational environments, meaning risk is generally limited to individuals with existing internal network access. If an account is compromised, a malicious script could be injected and subsequently executed when a legitimate user visits the communication settings page, potentially impacting admin access or the security of operational systems.

L – Live Threat

Current analysis indicates that this issue involves a potential script injection, but the available context does not indicate active exploitation or observed targeting. This vulnerability is limited by its requirements, as an attacker must already be authenticated and authorized to download specific projects to initiate the issue. Consequently, we view this as a contained risk given the necessary prerequisites for a successful attack.

O – Operational Fix

Please review the security advisory on the official Siemens portal to determine the appropriate steps for your specific environment. Given the nature of this vulnerability, prioritize validating your current system configurations and ensuring that access to TIA project downloads is restricted to authorized personnel only. Continue to monitor vendor communications for any recommended patches or operational guidance to maintain the integrity of your devices.

References

cert-portal.siemens.com/productcert/html/ssa-688146.html