External risk intelligence

Siemens devices could allow authenticated users to hijack other user sessions.

Specific Siemens industrial control devices could allow an authenticated user to hijack the web sessions of other staff members. This could potentially expose the security of management console interactions within restricted operational networks.

NVD published May 12, 2026 (3 days ago)

External risk briefCRITICAL

CVE-2026-25787

Halo Surface Signal

1/ 5

This vulnerability affects industrial control devices confined to restricted, internal operational networks. The requirement for authorized access to upload project files further ensures these systems are not designed for or deployed as public-facing services, making internet reachability for this specific management interface very unlikely.

Exposure facts

CVSS

9.3

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS

0.04%

H – Horizon Alert

A security issue has been identified in the web interface of specific industrial control devices where Technology Object names are not properly validated. This flaw could allow an authorized user to inject malicious scripts directly into the "Motion Control Diagnostics" page. Consequently, if a legitimate user accesses this page, the malicious code could execute within their active web session, potentially compromising the security of their interactions with the system.

A – Asset Exposure

This issue affects the web interface on industrial control devices, specifically the pages used for managing motion control diagnostics. Because the vulnerability requires an attacker to already have authorized access to upload project files, the risk is typically confined to internal, restricted operational networks rather than public-facing systems. If exploited, an attacker could compromise the web sessions of other authorized staff, potentially leading to unauthorized actions within the management console.

L – Live Threat

The available information does not indicate active exploitation or observed targeting of this vulnerability. Currently, there is no evidence of public exploit code or widespread activity suggesting an imminent threat. Consequently, the immediate risk signals remain low, as we have not identified any verified reports of this weakness being leveraged by external actors.

O – Operational Fix

To mitigate this risk, we recommend prioritizing a review of the authorized personnel who possess permissions to download TIA projects, as this access is a prerequisite for the vulnerability. Please consult the official Siemens security advisory for the most current guidance on remediation or potential workarounds. We also advise validating your current system configurations and maintaining strict access controls while monitoring for additional updates from the vendor.

References

cert-portal.siemens.com/productcert/html/ssa-688146.html