Improper Input Validation in Siemens Devices
CVE-2026-25789

7.2HIGH

Key Information:

Vendor: Siemens
Status: Simatic Drive Controller Cpu 1504d Tf; Simatic Drive Controller Cpu 1507d Tf; Simatic Et 200sp Cpu 1510sp F-1 Pn; Simatic Et 200sp Cpu 1510sp-1 Pn
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-25789?

Certain Siemens devices fail to adequately validate and sanitize filenames on their Firmware Update page. This oversight can enable an attacker to exploit social engineering tactics, tricking users into selecting a malicious firmware file without actual file upload. Consequently, this vulnerability could facilitate malicious JavaScript execution within the authenticated user's session, potentially leading to unauthorized session hijacking and credential theft.

Affected Version(s)

SIMATIC Drive Controller CPU 1504D TF 0

SIMATIC Drive Controller CPU 1507D TF 0

SIMATIC ET 200SP CPU 1510SP F-1 PN 0

References

https://cert-portal.siemens.com/productcert/html/ssa-6881...

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Feb 5, 2026

CVE-2026-25789 Data

JSON