PatchSiren cyber security CVE debrief
CVE-2025-13970 OpenPLC_V3 CVE debrief
CVE-2025-13970 is a cross-site request forgery (CSRF) vulnerability in OpenPLC_V3, published by CISA on 2025-12-11 and updated on 2026-04-09. The vulnerability exists due to absent CSRF validation, allowing unauthenticated attackers to trick authenticated administrators into executing unauthorized actions via maliciously crafted links. Successful exploitation could result in unauthorized modification of PLC settings or upload of malicious programs, with potential for significant operational disruption or physical damage to connected industrial systems. The CVSS 3.1 score of 8.0 (HIGH) reflects the serious integrity and availability impacts, though attack complexity is rated as high due to required user interaction. OpenPLC_v3 is now end-of-life; CISA recommends upgrading to OpenPLC Runtime v4.
- Vendor
- OpenPLC_V3
- Product
- Unknown
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-11
- Original CVE updated
- 2026-04-09
- Advisory published
- 2025-12-11
- Advisory updated
- 2026-04-09
Who should care
Industrial control system operators, OT security teams, manufacturing security personnel, critical infrastructure defenders, and organizations running OpenPLC_v3 in production environments. Organizations subject to NERC CIP, IEC 62443, or similar industrial cybersecurity frameworks should prioritize assessment and migration planning.
Technical summary
The vulnerability stems from missing CSRF token validation in OpenPLC_V3's web interface. An unauthenticated attacker can craft malicious HTML forms or links that, when visited by an authenticated administrator, execute state-changing operations using the victim's active session. The attack requires network access to the management interface and successful social engineering of the administrator. Impact is limited by high attack complexity (user interaction required) but severity is elevated by potential for integrity and availability compromise in industrial control environments. No patch is available for v3; migration to v4 is the prescribed remediation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade from end-of-life OpenPLC_v3 to OpenPLC Runtime v4
- Implement network segmentation to isolate PLC management interfaces from untrusted networks
- Deploy web application firewall rules to detect and block suspicious cross-origin requests
- Enforce strict session management with short timeout periods for administrative sessions
- Conduct user awareness training on recognizing and avoiding phishing/social engineering attacks targeting ICS administrators
- Review and implement CISA ICS recommended practices for defense-in-depth strategies
- Monitor for anomalous configuration changes or program uploads in PLC environments
Evidence notes
CISA ICS advisory ICSA-25-345-10 (Update A) documents this CSRF vulnerability in OpenPLC_V3 with CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H. The advisory explicitly states the product is end-of-life and directs users to OpenPLC Runtime v4. SSVC scoring indicates Exploitation: None, Automatable: No as of 2026-04-08.
Official resources
-
CVE-2025-13970 CVE record
CVE.org
-
CVE-2025-13970 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-11