CVE-2025-3905 is a medium-severity Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting Schneider Electric's Modicon Controllers M241 and M251 prior to version 5.3.12.51. The vulnerability arises from improper neutralization of input during web page generation within the PLC system variables. Specifically, an authenticated malicious user can inject unvalidated data into the web interface of these controllers. When a victim accesses the affected web page, the injected script executes in their browser context, potentially allowing the attacker to read or modify data displayed to the victim. This vulnerability does not require high privileges beyond authentication but does require user interaction (victim visiting the maliciously crafted page). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), user interaction required (UI:P), and limited impact on confidentiality and integrity (VC:N, VI:L), with no impact on availability (VA:N). The scope is limited (SC:L), and the severity is rated medium with a CVSS score of 5.1. No known exploits are currently reported in the wild. The vulnerability is significant because Modicon M241/M251 controllers are widely used in industrial control systems (ICS) for automation, and exploitation could lead to unauthorized data manipulation or leakage through the web interface, potentially disrupting operational technology (OT) environments or exposing sensitive control data.

For European organizations, especially those in critical infrastructure sectors such as manufacturing, energy, water treatment, and transportation that rely on Schneider Electric Modicon M241/M251 PLCs, this vulnerability poses a risk of unauthorized data exposure and manipulation via the web interface. While the vulnerability requires an authenticated attacker and user interaction, the potential impact includes theft of sensitive operational data, manipulation of displayed information leading to incorrect operational decisions, and erosion of trust in control system integrity. This could result in operational disruptions, safety hazards, or compliance violations under regulations like NIS2 or GDPR if sensitive data is exposed. The medium severity indicates that while the threat is not immediately critical, it should be addressed promptly to prevent escalation or chaining with other vulnerabilities. European ICS environments often have stringent security requirements, and this vulnerability highlights the need for robust authentication and input validation controls in OT systems.

1. Immediate upgrade to Schneider Electric Modicon Controllers M241/M251 firmware version 5.3.12.51 or later, where the vulnerability is patched. 2. Restrict access to the web interface of the controllers to trusted networks only, using network segmentation and firewall rules to limit exposure. 3. Implement strong authentication mechanisms and monitor for unusual login attempts to detect potential malicious authenticated users. 4. Employ web application firewalls (WAF) or intrusion detection systems (IDS) tailored for ICS environments to detect and block XSS payloads targeting the controllers. 5. Conduct regular security audits and penetration tests focusing on the web interfaces of ICS devices to identify and remediate input validation issues. 6. Educate operational staff about the risks of interacting with suspicious links or web pages related to ICS devices to reduce the risk of user interaction exploitation. 7. Monitor vendor advisories for any updates or additional patches and apply them promptly.