CVE-2025-3117 Schneider Electric CVE debrief

Who should care

OT/ICS operators, plant engineers, and security teams running Schneider Electric Modicon controllers—especially environments that use the embedded webserver or allow authenticated users to manage configuration files. This is most relevant where controllers are reachable from broader networks or remote access paths.

Technical summary

CVE-2025-3117 is described as a CWE-79 improper input neutralization issue during web page generation. The advisory says the weakness impacts configuration file paths and can allow an authenticated malicious user to inject unvalidated data into a victim’s browser, with potential impact to confidentiality and integrity. The provided CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (5.4 Medium). Affected products include M241 prior to 5.3.12.51, M251 prior to 5.3.12.51, M262 prior to 5.3.9.18, and all versions of M258 and LMC058. Schneider Electric’s revision history notes remediation availability was added on 2025-07-08 for updating M241/M251 firmware via EcoStruxure Machine Expert v2.3 / EcoStruxure Automation Expert – Motion v24.1.

Defensive priority

Medium, with elevated operational urgency for exposed OT environments. The vulnerability requires authentication and user interaction, but it affects browser-side handling in industrial controller workflows and has vendor remediation or hardening steps that should be applied promptly.

Recommended defensive actions

• Update Schneider Electric Modicon M241 to version 5.3.12.51 or later using the Controller Assistant feature in EcoStruxure Automation Expert – Motion v24.1 or EcoStruxure Machine Expert v2.3, and reboot after updating.
• Update Modicon M251 to version 5.3.12.51 or later using the vendor-supported firmware update path, and reboot after updating.
• Update Modicon M262 to version 5.3.9.18 or later using the vendor-supported firmware update path, and reboot after updating.
• For Modicon M258 and LMC058, apply Schneider Electric’s mitigations immediately because the provided advisory indicates a future remediation plan rather than a fixed version at the time of the source revision.
• Restrict controller access to trusted networks only; do not expose these devices to the public internet or untrusted networks.
• Use strong user management and passwords, and keep user rights enforced as described in the advisory.
• Deactivate the webserver when it is not needed.
• Use encrypted communication links and network segmentation, and block unauthorized access to HTTP/HTTPS ports 80 and 443 with firewall rules or equivalent controls.","Use VPN tunnels for remote access rather than direct,

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-175-03 (published 2025-06-10, revised 2025-07-08) and Schneider Electric’s SEVD-2025-161-02 notice. The source describes a CWE-79 XSS issue affecting configuration file paths, lists impacted products and version thresholds, and provides remediation/mitigation guidance. The advisory’s revision history specifically states that remediation became available on 2025-07-08 for updating M241/M251 firmware via EcoStruxure Machine Expert v2.3. The CVSS vector provided in the source is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

Official resources