PatchSiren cyber security CVE debrief
CVE-2026-25789 Cert Portal CVE debrief
CVE-2026-25789 is a Siemens SIMATIC PLC web-server issue in the Firmware Update page. Because filenames are not properly validated and sanitized, a remote attacker may socially engineer an authenticated user into selecting a modified firmware file name, leading to malicious JavaScript execution in that user’s session without the file actually being uploaded. The stated impact includes session hijacking or credential theft, and the source CVSS vector reflects network attack conditions with required user interaction and authenticated access.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0) vers:intdot/<3.1.6 SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0) vers:all/* SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0) vers:intdot/<2.9.9 SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0) SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0) SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0) SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0) SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0) SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0) SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0) SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0) SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0) SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0) SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0) SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0) SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0) SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0) SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0) SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0) SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0) SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0) SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0) SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0) SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0) SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0)
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT and ICS operators, plant engineers, and administrators responsible for Siemens SIMATIC S7 / ET 200SP / Drive Controller devices and any web-based firmware update workflow. This is especially relevant for teams that allow remote or broadly delegated access to device management interfaces.
Technical summary
The advisory describes improper filename validation/sanitization on the Firmware Update page. An attacker can craft a modified firmware filename and rely on user interaction to get an authenticated user to select it, which can execute JavaScript in the context of that session. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating network reachability, high complexity, low privileges, and required user interaction.
Defensive priority
High. The attack requires user interaction and is high complexity, but the impact is severe and the affected device set is broad across Siemens OT products.
Recommended defensive actions
- Apply Siemens vendor fixes where available, including the version-specific updates listed in the advisory such as V3.1.6 or later and V2.9.9 or later for the affected product families.
- Restrict access to the firmware update function to instructed personnel only, as explicitly recommended by the advisory.
- Limit access to device web management interfaces to trusted administrative networks and use OT segmentation/least-privilege controls from CISA ICS recommended practices.
- Treat firmware update sessions as sensitive administrative actions and verify firmware package provenance before initiating any update workflow.
- Track the Siemens and CISA advisories for product-specific remediation guidance, especially for variants where no fix is currently available or no fix is planned.
Evidence notes
This debrief is based on the supplied CISA CSAF source item ICSA-26-134-15, which republishes Siemens ProductCERT advisory SSA-688146 for CVE-2026-25789. The source dates are 2026-05-12 for publication and 2026-05-14 for republication/modification. The advisory references official Siemens and CISA pages, and the supplied remediation entries include both vendor fixes and a mitigation to restrict firmware update access to instructed personnel.
Official resources
-
CVE-2026-25789 CVE record
CVE.org
-
CVE-2026-25789 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied CISA CSAF on 2026-05-12 and republished from Siemens ProductCERT on 2026-05-14. The supplied enrichment does not list this CVE in KEV.