PatchSiren cyber security CVE debrief
CVE-2025-3905 Schneider Electric CVE debrief
CVE-2025-3905 is a cross-site scripting vulnerability in Schneider Electric Modicon controller web interfaces that can let an authenticated malicious user inject unvalidated data into PLC system variables and influence what a victim’s browser reads or modifies. CISA published the advisory on 2025-06-10 and updated it on 2025-07-08 when remediation became available for the M241/M251 path. The advisory remains important for environments that expose controller web services or rely on browser-based administration.
- Vendor
- Schneider Electric
- Product
- Modicon Controllers M241
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2025-07-08
- Advisory published
- 2025-06-10
- Advisory updated
- 2025-07-08
Who should care
OT/ICS operators using Schneider Electric Modicon controllers, especially M241 and M251 prior to 5.3.12.51, and any sites running M258 or LMC058. Security teams should also care if controller web interfaces are reachable from broader networks or remote-access paths.
Technical summary
The source advisory describes CWE-79 (Improper Neutralization of Input During Web Page Generation) affecting PLC system variables. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, which indicates network reachability, low attack complexity, required low privileges, required user interaction, and limited confidentiality/integrity impact with no availability impact. Schneider Electric lists affected products as Modicon Controllers M241 versions prior to 5.3.12.51, M251 versions prior to 5.3.12.51, and all versions of M258 and LMC058. The advisory revision dated 2025-07-08 states that remediation is now available for M241/M251 through EcoStruxure Machine Expert v2.3 / EcoStruxure Automation Expert - Motion v24.1 to update firmware and reboot.
Defensive priority
Medium priority: patch M241/M251 promptly and apply hardening/segmentation immediately for exposed controller web interfaces, especially where browser-based administration is used.
Recommended defensive actions
- Update Modicon M241 and M251 to version 5.3.12.51 using the vendor-supported controller update workflow and reboot the device.
- For M258 and LMC058, apply the vendor mitigations now and track Schneider Electric’s remediation plan for future versions.
- Restrict controller and device access to protected networks; do not expose them to the public internet or untrusted networks.
- Use user management and strong passwords; ensure default rights and password requirements are in place.
- Disable the webserver when it is not needed.
- Use encrypted communication links and VPN tunnels for remote access.
- Segment the network and block unauthorized access to ports 80/HTTP and 443/HTTPS with firewall rules.
- Follow Schneider Electric’s product-specific hardening guidance and CISA industrial control system recommended practices.
Evidence notes
All claims are grounded in the supplied CISA CSAF advisory and vendor references. The advisory identifies Schneider Electric as the vendor and Modicon Controllers M241/M251/M258/LMC058 as affected products. The revision history shows the original release on 2025-06-10 and a 2025-07-08 update noting remediation availability for M241/M251 via EcoStruxure Machine Expert v2.3. The source also provides mitigations for all affected products and states that M258/LMC058 remediation is planned for future versions. No KEV listing is present in the supplied data.
Official resources
-
CVE-2025-3905 CVE record
CVE.org
-
CVE-2025-3905 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA and Schneider Electric on 2025-06-10; advisory revision 2.0.0 on 2025-07-08 added remediation availability for M241/M251.