CVE-2025-25264 is a vulnerability identified in the WAGO CC100 0751-9x01 industrial controller device, stemming from an overly permissive Cross-Origin Resource Sharing (CORS) policy classified under CWE-942. The vulnerability allows an unauthenticated remote attacker to exploit the device's CORS configuration by tricking an administrator into visiting a malicious website containing JavaScript code. Due to the permissive CORS policy, the malicious script can bypass same-origin restrictions and access arbitrary files on the device's file system, potentially exposing sensitive configuration or operational data. The attack requires no authentication but does require user interaction, specifically the admin visiting the attacker-controlled website. The CVSS v3.1 score is 6.5 (medium severity), reflecting the high confidentiality impact but no impact on integrity or availability. The vulnerability is significant in environments where WAGO CC100 0751-9x01 devices are deployed, commonly in industrial automation and control systems. No patches or exploits are currently known, but the risk remains due to the potential for sensitive data exposure. The permissive CORS policy indicates a misconfiguration that fails to restrict cross-origin requests to trusted domains, a common web security issue that can lead to data leakage. The vulnerability was reserved in early 2025 and published mid-2025, indicating recent discovery and disclosure.

For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors, this vulnerability poses a risk of sensitive data exposure from WAGO CC100 0751-9x01 devices. Confidentiality breaches could lead to leakage of operational parameters, system configurations, or proprietary information, potentially aiding further attacks or industrial espionage. While the vulnerability does not directly impact system integrity or availability, the exposure of sensitive files could facilitate secondary attacks or disrupt trust in operational technology environments. The requirement for user interaction (admin visiting a malicious site) means that social engineering or phishing campaigns could be leveraged by attackers. Given the widespread use of WAGO controllers in European industrial sectors, the vulnerability could have significant operational security implications if exploited. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure.

1. Immediately review and restrict the CORS policy on WAGO CC100 0751-9x01 devices to allow only trusted, necessary domains, ideally limiting to internal management interfaces or specific administrative domains. 2. Implement network segmentation to isolate industrial controllers from general internet access and reduce exposure to malicious websites. 3. Educate administrators and operators about the risks of visiting untrusted websites, emphasizing phishing awareness and social engineering defenses. 4. Monitor network traffic for unusual cross-origin requests or attempts to access device file systems remotely. 5. Engage with WAGO support or vendors for any forthcoming patches or firmware updates addressing this vulnerability. 6. Consider deploying web filtering or proxy solutions to block access to known malicious domains and reduce the risk of accidental visits to attacker-controlled sites. 7. Conduct regular security audits of industrial control systems to detect misconfigurations like overly permissive CORS policies. 8. If possible, implement multi-factor authentication and strict access controls on administrative interfaces to reduce the risk of unauthorized access.