CVE-2025-13902 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in Schneider Electric Modicon Controllers M241 and M251 models running firmware versions prior to 5.4.13.12. The flaw stems from improper input sanitization during the generation of web pages served by the controller’s embedded web server. Authenticated attackers can inject malicious JavaScript code into the web interface, which executes when a victim user hovers over a maliciously crafted element. This vulnerability leverages the victim’s browser to run arbitrary scripts, potentially enabling session hijacking, unauthorized command execution within the web interface, or theft of sensitive information accessible via the browser session. The attack vector requires the attacker to have authenticated access to the controller’s web interface, but no additional user interaction beyond hovering is needed. The CVSS v4.0 base score is 5.1 (medium), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and partial scope impact. The vulnerability affects industrial control systems widely used in manufacturing, energy, and critical infrastructure sectors. No public exploits have been reported yet, but the potential for targeted attacks against operational technology environments exists. The vulnerability highlights the importance of secure coding practices in embedded web interfaces of industrial devices.

The impact of CVE-2025-13902 is significant for organizations relying on Schneider Electric Modicon M241 and M251 controllers, especially in industrial and critical infrastructure environments. Successful exploitation can lead to unauthorized execution of JavaScript in the context of a legitimate user’s browser session, potentially allowing attackers to hijack sessions, manipulate controller settings, or exfiltrate sensitive data. This can disrupt industrial processes, cause operational downtime, or facilitate further attacks within the network. Since these controllers are often part of supervisory control and data acquisition (SCADA) systems, the vulnerability could indirectly affect the availability and integrity of critical infrastructure such as manufacturing plants, energy grids, and water treatment facilities. Although exploitation requires authenticated access, insider threats or compromised credentials could enable attackers to leverage this vulnerability. The lack of known exploits currently reduces immediate risk, but the medium severity score and the strategic importance of affected systems warrant prompt remediation to prevent escalation.

To mitigate CVE-2025-13902, organizations should immediately upgrade Schneider Electric Modicon M241 and M251 controllers to firmware version 5.4.13.12 or later, where the vulnerability is addressed. If patching is not immediately feasible, restrict access to the controller’s web interface to trusted networks and users only, employing network segmentation and strong access controls. Implement multi-factor authentication (MFA) for all users accessing the device to reduce the risk of credential compromise. Monitor logs for unusual authenticated activity that could indicate attempts to exploit this vulnerability. Additionally, disable or limit the use of web interface features that allow user input or interaction if possible. Security teams should conduct regular vulnerability assessments and penetration testing on industrial control systems to detect similar input validation issues. Finally, educate operational technology personnel about the risks of XSS and the importance of cautious interaction with web interfaces in industrial environments.