CVE-2025-3899 is a medium-severity Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting Schneider Electric Modicon Controllers M241 and M251 running firmware versions prior to 5.3.12.51. The vulnerability exists specifically on the Certificates page of the embedded webserver interface used to manage these industrial controllers. An authenticated malicious user can inject unvalidated input into the web page generation process, which is then rendered in the victim's browser without proper sanitization or encoding. This improper neutralization of input allows the attacker to execute arbitrary scripts in the context of the victim's browser session. The CVSS 4.0 vector indicates the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:P). The impact on confidentiality and integrity is limited but non-negligible (VI:L), with no impact on availability or system confidentiality. The scope is limited to the web interface of the affected controllers, and the vulnerability does not propagate beyond the web session. There are no known exploits in the wild as of the publication date, and no official patches have been linked yet. This vulnerability could allow an attacker with authenticated access to steal session cookies, manipulate displayed data, or perform actions on behalf of the victim user within the controller's web interface, potentially leading to unauthorized configuration changes or information disclosure within industrial control environments.

For European organizations, especially those operating critical infrastructure or manufacturing facilities that utilize Schneider Electric Modicon M241/M251 controllers, this vulnerability poses a tangible risk. Successful exploitation could lead to unauthorized access or manipulation of industrial control systems via the web interface, potentially disrupting operational processes or causing safety issues. Although the vulnerability requires authenticated access, insider threats or compromised credentials could be leveraged by attackers to exploit this XSS flaw. The ability to execute scripts in the context of legitimate users may facilitate further attacks such as session hijacking, privilege escalation, or lateral movement within the network. Given the widespread use of Schneider Electric products in European industrial sectors such as energy, manufacturing, and utilities, the vulnerability could impact operational continuity and data integrity. Additionally, regulatory frameworks like NIS2 and GDPR emphasize the protection of critical infrastructure and personal data, so exploitation could also lead to compliance violations and reputational damage.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately identify and inventory all Modicon M241 and M251 controllers in their environment and verify firmware versions. 2) Apply the latest firmware updates from Schneider Electric as soon as they become available, prioritizing versions 5.3.12.51 or later that address this issue. 3) Restrict access to the web interface of these controllers by implementing network segmentation and firewall rules to limit administrative access only to trusted hosts and personnel. 4) Enforce strong authentication mechanisms and regularly rotate credentials to reduce the risk of compromised accounts. 5) Monitor web server logs and network traffic for unusual or suspicious activity indicative of attempted XSS exploitation or unauthorized access. 6) Educate users with access to these controllers about the risks of phishing and social engineering that could lead to credential compromise. 7) Consider deploying web application firewalls (WAFs) capable of detecting and blocking XSS payloads targeting the controller interfaces. 8) Conduct periodic security assessments and penetration tests focused on industrial control system web interfaces to proactively identify similar vulnerabilities.