PatchSiren cyber security CVE debrief
CVE-2026-25787 Cert Portal CVE debrief
CVE-2026-25787 is an authenticated cross-site scripting issue in the Siemens SIMATIC web interface. A Technology Object (TO) name shown on the Motion Control Diagnostics page is not properly validated or sanitized, so a user who can download a TIA project into the product may inject malicious scripts. If another user with suitable rights opens that page, the script runs in that user's web session.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0) vers:intdot/<3.1.6 SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0) vers:all/* SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0) vers:intdot/<2.9.9 SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0) SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0) SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0) SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0) SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0) SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0) SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0) SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0) SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0) SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0) SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0) SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0) SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0) SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0) SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0) SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0) SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0) SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0) SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0) SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0) SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0) SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0)
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT administrators, Siemens SIMATIC owners, PLC engineering teams, and security teams responsible for the listed SIMATIC Drive Controller and S7-1500 / ET 200SP products should prioritize this advisory, especially where the web interface is enabled and TIA project import/download rights are broadly assigned.
Technical summary
The advisory describes a reflected/stored web UI injection condition on the Motion Control Diagnostics page. The vulnerable data path is the Technology Object name, which is rendered without adequate validation/sanitization. Exploitation requires authentication and authorization to download a TIA project into the device, but the impact is significant because the injected script executes in the scope of a benign user's web session. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, with a score of 9.1.
Defensive priority
Critical. Although the attack requires high privileges, the combination of network exposure, web-session impact, and possible abuse of trusted engineering workflows makes this a high-priority remediation item for OT environments.
Recommended defensive actions
- Apply Siemens vendor fixes where available: update to V3.1.6 or later for the affected Drive Controller CPU 1504D TF and related entries covered by that remediation.
- Apply Siemens vendor fixes where available: update to V2.9.9 or later for the affected ET 200SP / S7-1500 entries covered by that remediation.
- Where the advisory states no fix is currently available or no fix is planned, implement compensating controls and track vendor guidance for future updates.
- Restrict TIA project download privileges to trusted personnel only, as recommended in the advisory.
- Limit access to the device web interface to necessary administrative networks and users.
- Review OT account assignment and remove unnecessary high-privilege access that could allow project download into the product.
- Monitor for unexpected content or behavior on the Motion Control Diagnostics page and other web UI pages that render project-supplied names.
- Use Siemens and CISA recommended industrial-control-system hardening practices to reduce exposure while patching is pending.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory ICSA-26-134-15 and the referenced Siemens ProductCERT advisory SSA-688146. The source corpus states the issue was published on 2026-05-12 and modified on 2026-05-14; those dates are used as the CVE timing context here. The corpus also links the remediation options to Siemens update paths and a compensating control to restrict TIA project download to trusted personnel only. No exploit code or offensive reproduction steps were used.
Official resources
-
CVE-2026-25787 CVE record
CVE.org
-
CVE-2026-25787 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF advisory ICSA-26-134-15 on 2026-05-12, with a CISA republication of the Siemens advisory on 2026-05-14.