PatchSiren cyber security CVE debrief
CVE-2025-13902 Schneider Electric CVE debrief
CVE-2025-13902 is a cross-site scripting issue in Schneider Electric Modicon controller web interfaces. According to the advisory, an authenticated attacker can plant a malicious element so that a victim’s browser runs arbitrary JavaScript when hovering over it. Schneider Electric states that firmware 5.4.13.12, delivered with EcoStruxure Machine Expert v2.5.0.1, includes the fix for M241 and M251; the advisory also covers M258 and LMC058 and recommends defensive hardening where remediation is not applied.
- Vendor
- Schneider Electric
- Product
- Modicon Controllers M241
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-19
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-19
Who should care
OT/ICS operators using Schneider Electric Modicon controllers, plant engineers, administrators of controller web interfaces, and security teams responsible for EcoStruxure Machine Expert workstations and segmented industrial networks.
Technical summary
The advisory describes a CWE-79 input-neutralization failure in web page generation affecting Schneider Electric Modicon controllers. The reported impact is browser-side script execution when an authenticated user interacts with a maliciously crafted element on the device web server, with user interaction required and network access assumed. The source corpus ties the fix for M241 and M251 to firmware 5.4.13.12, delivered through EcoStruxure Machine Expert v2.5.0.1, while the remaining product entries are addressed through mitigations in the notice.
Defensive priority
Medium priority: patch promptly on exposed M241/M251 deployments and apply webserver/network hardening immediately across affected Modicon systems, especially where controller web access is enabled.
Recommended defensive actions
- Update Modicon Controller M241 and M251 to firmware 5.4.13.12 using EcoStruxure Machine Expert v2.5.0.1 and the Schneider Electric Software Installer.
- Reboot the controller after applying the vendor firmware update.
- If a system cannot be remediated immediately, disable the webserver when it is not needed and block unauthorized access to HTTP/HTTPS ports 80 and 443.
- Keep controllers and associated devices in a protected, segmented environment that is not reachable from the public internet or untrusted networks.
- Require strong authentication and user management, and use encrypted communication links.
- Use VPN tunnels for remote access and follow Schneider Electric’s cybersecurity hardening guidance for EcoStruxure Machine Expert, Modicon, and PacDrive controllers.
Evidence notes
This debrief is based on CISA’s CSAF advisory ICSA-26-078-02 and Schneider Electric’s SEVD-2026-069-02 notice, both published on 2026-03-10 and republished/updated by CISA on 2026-03-19. The corpus states a CVSS v4.0 Base Score of 5.1 (Medium) for an authenticated XSS condition that triggers arbitrary JavaScript in a victim browser on hover. Remediation and mitigation language is taken from the vendor notice as mirrored in the CISA CSAF source.
Official resources
-
CVE-2025-13902 CVE record
CVE.org
-
CVE-2025-13902 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory published 2026-03-10 and republished by CISA on 2026-03-19; not listed in CISA KEV.