PatchSiren cyber security CVE debrief
CVE-2025-3899 Schneider Electric CVE debrief
CVE-2025-3899 is a medium-severity cross-site scripting issue in the webserver Certificates page used by Schneider Electric Modicon Modicon Controllers M241 and M251. According to the advisory, an authenticated malicious user could inject unvalidated data and cause a victim’s browser to read or modify data. Schneider Electric and CISA list a fixed release and mitigations, and the advisory was updated on 2025-07-08 to note remediation availability.
- Vendor
- Schneider Electric
- Product
- Modicon Controllers M241
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2025-07-08
- Advisory published
- 2025-06-10
- Advisory updated
- 2025-07-08
Who should care
OT and plant security teams responsible for Schneider Electric Modicon M241/M251 deployments, especially environments where the controller webserver is enabled or reachable from user workstations. Identity and access administrators should also care because exploitation requires an authenticated user.
Technical summary
The advisory identifies CWE-79 cross-site scripting in the Certificates page of the controller webserver. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, required low-privilege authentication, and user interaction in the victim browser. Affected products are Schneider Electric Modicon Controllers M241 versions prior to 5.3.12.51 and M251 versions prior to 5.3.12.51. The vendor states that version 5.3.12.51 resolves the issue.
Defensive priority
Patch promptly. Because the issue is reachable over the network and can affect browser sessions, prioritize remediation on any exposed or shared-management controllers, then apply the published hardening controls where immediate patching is not possible.
Recommended defensive actions
- Upgrade Modicon M241 to version 5.3.12.51 using EcoStruxure Automation Expert – Motion v24.1 or EcoStruxure Machine Expert v2.3, then reboot the controller.
- Upgrade Modicon M251 to version 5.3.12.51 using EcoStruxure Automation Expert – Motion v24.1 or EcoStruxure Machine Expert v2.3, then reboot the controller.
- If patching is delayed, isolate controllers and devices in a protected environment, and block unauthorized access to HTTP/HTTPS ports 80 and 443 with segmentation and firewall controls.
- Deactivate the webserver when it is not needed, enforce user management and strong passwords, use encrypted communication links, and use VPN tunnels for remote access.
Evidence notes
CISA CSAF advisory ICSA-25-175-03 and the linked Schneider Electric security notice reference CVE-2025-3899, describe the XSS issue on the Certificates page, identify affected M241/M251 versions prior to 5.3.12.51, and list version 5.3.12.51 as the fix. The advisory revision history shows the original release on 2025-06-10 and an update on 2025-07-08 adding remediation availability. The supplied data does not indicate KEV inclusion or known ransomware use.
Official resources
-
CVE-2025-3899 CVE record
CVE.org
-
CVE-2025-3899 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSA-25-175-03 on 2025-06-10, with the advisory revised on 2025-07-08 to note that remediation was available. No KEV listing is present in the supplied data.