CVE-2025-13902 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in Schneider Electric Modicon Controllers M241 and M251 firmware versions prior to 5.4.13.12. The vulnerability stems from improper neutralization of input during web page generation on the device's embedded web server interface. Authenticated attackers can inject malicious JavaScript payloads into web pages served by the controller. When a victim user, who is authenticated to the controller's web interface, hovers their mouse over a maliciously crafted element containing the injected payload, the browser executes the attacker's JavaScript code. This can lead to session hijacking, unauthorized actions, or information disclosure within the context of the victim's session. The CVSS v4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction required (hovering). The vulnerability does not impact the controller's core control functions directly but compromises the security of the web management interface, which is critical for industrial control system (ICS) security. No public exploits or active exploitation have been reported to date. The vulnerability highlights the importance of secure input handling in embedded web interfaces of ICS devices. Schneider Electric has reserved the CVE and presumably will release patches or mitigations in firmware updates beyond version 5.4.13.12.

The primary impact of CVE-2025-13902 is on the confidentiality and integrity of the web management sessions of Schneider Electric Modicon M241 and M251 controllers. Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated user's browser session, potentially leading to session hijacking, theft of credentials or sensitive configuration data, and unauthorized commands issued via the web interface. This can undermine the security of industrial control systems relying on these controllers, potentially disrupting operational processes or enabling further attacks within the ICS environment. Although the vulnerability does not directly affect the availability or safety functions of the controllers, compromising the management interface can lead to indirect operational risks. The requirement for attacker authentication and user interaction limits the ease of exploitation but does not eliminate risk, especially in environments with multiple users or where social engineering is feasible. Organizations worldwide using these controllers in critical infrastructure sectors such as manufacturing, energy, and utilities could face targeted attacks aiming to gain footholds or disrupt operations.

1. Apply firmware updates from Schneider Electric promptly, ensuring all Modicon M241 and M251 controllers run version 5.4.13.12 or later where this vulnerability is addressed. 2. Restrict access to the web management interface to trusted networks and users only, using network segmentation and firewall rules to limit exposure. 3. Implement strong authentication mechanisms and monitor for unusual login or session activity to detect potential misuse. 4. Educate users with access to the controllers on the risks of interacting with suspicious web elements and encourage cautious behavior to reduce the likelihood of triggering malicious payloads. 5. Employ web application firewalls (WAFs) or intrusion detection systems (IDS) capable of detecting and blocking XSS payloads targeting the controller interfaces. 6. Conduct regular security assessments and penetration testing focused on the ICS web interfaces to identify and remediate similar input validation issues. 7. Consider disabling or restricting web interface features that allow user-generated content or input if not essential for operations. 8. Maintain comprehensive logging and alerting on controller access to facilitate rapid incident response if exploitation is suspected.