CVE-2026-25787 Siemens CVE debrief

Who should care

OT administrators, Siemens SIMATIC owners, PLC engineering teams, and security teams responsible for the listed SIMATIC Drive Controller and S7-1500 / ET 200SP products should prioritize this advisory, especially where the web interface is enabled and TIA project import/download rights are broadly assigned.

Technical summary

The advisory describes a reflected/stored web UI injection condition on the Motion Control Diagnostics page. The vulnerable data path is the Technology Object name, which is rendered without adequate validation/sanitization. Exploitation requires authentication and authorization to download a TIA project into the device, but the impact is significant because the injected script executes in the scope of a benign user's web session. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, with a score of 9.1.

Defensive priority

Critical. Although the attack requires high privileges, the combination of network exposure, web-session impact, and possible abuse of trusted engineering workflows makes this a high-priority remediation item for OT environments.

Recommended defensive actions

• Apply Siemens vendor fixes where available: update to V3.1.6 or later for the affected Drive Controller CPU 1504D TF and related entries covered by that remediation.
• Apply Siemens vendor fixes where available: update to V2.9.9 or later for the affected ET 200SP / S7-1500 entries covered by that remediation.
• Where the advisory states no fix is currently available or no fix is planned, implement compensating controls and track vendor guidance for future updates.
• Restrict TIA project download privileges to trusted personnel only, as recommended in the advisory.
• Limit access to the device web interface to necessary administrative networks and users.
• Review OT account assignment and remove unnecessary high-privilege access that could allow project download into the product.
• Monitor for unexpected content or behavior on the Motion Control Diagnostics page and other web UI pages that render project-supplied names.
• Use Siemens and CISA recommended industrial-control-system hardening practices to reduce exposure while patching is pending.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory ICSA-26-134-15 and the referenced Siemens ProductCERT advisory SSA-688146. The source corpus states the issue was published on 2026-05-12 and modified on 2026-05-14; those dates are used as the CVE timing context here. The corpus also links the remediation options to Siemens update paths and a compensating control to restrict TIA project download to trusted personnel only. No exploit code or offensive reproduction steps were used.

Official resources