Cross-Site Scripting Vulnerability in Schneider Electric PLC Products
CVE-2025-3905

5.1MEDIUM

Key Information:

Vendor: Schneider Electric
Status: Modicon Controllers M241/m251; Modicon Controllers M258 / Lmc058
Vendor: CVE Published:; 10 June 2025

🔔 Create Schneider Electric Vulnerability Alert

What is CVE-2025-3905?

A cross-site scripting (XSS) vulnerability has been identified in specific PLC systems by Schneider Electric. This vulnerability allows authenticated malicious users to inject unvalidated data into web pages, posing a risk of data modification or exposure in the victim's browser. Attackers may exploit this flaw to execute arbitrary scripts, potentially leading to unauthorized access or manipulation of sensitive information. It is crucial for users of affected Schneider Electric PLC systems to implement security best practices and monitor their environments for any suspicious activity.

Affected Version(s)

Modicon Controllers M241/M251 Versions prior to 5.3.12.51

Modicon Controllers M258 / LMC058 All Versions

References

https://download.schneider-electric.com/files?p_Doc_Ref=S...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2025
Vulnerability Reserved
Apr 23, 2025