CVE-2025-41768 is a stored cross-site scripting (XSS) vulnerability identified in Beckhoff Automation's TwinCAT.HMI.Server, a component used for human-machine interface (HMI) in industrial automation. The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, an authenticated administrator can inject arbitrary content into a custom CSS field within the HMI server interface. This malicious content is stored persistently on the device and later rendered on the login and error pages, which are accessible to users. Because the injected content is CSS, it can be crafted to execute malicious scripts or manipulate the page's appearance to facilitate further attacks such as session hijacking or credential theft. The vulnerability requires administrator-level privileges to exploit, meaning an attacker must already have significant access to the system. The CVSS 3.1 base score is 5.5 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and partial confidentiality and integrity impacts. No public exploits or patches are currently available, increasing the importance of monitoring and applying vendor updates once released. This vulnerability is particularly concerning in industrial control systems where Beckhoff's TwinCAT.HMI.Server is deployed, as it could allow attackers to escalate privileges or move laterally within critical infrastructure environments.

For European organizations, especially those in manufacturing, energy, and critical infrastructure sectors relying on Beckhoff Automation's TwinCAT.HMI.Server, this vulnerability poses a risk of unauthorized code execution within the HMI interface. Exploitation could lead to theft of sensitive information such as credentials or session tokens, manipulation of HMI displays, or unauthorized commands issued to industrial control systems. While the attack requires administrator credentials, insider threats or compromised admin accounts could leverage this vulnerability to escalate attacks. The persistence of malicious content increases the risk of repeated exploitation and potential disruption of industrial processes. Confidentiality and integrity impacts are moderate, but availability is not directly affected. Given the strategic importance of industrial automation in Europe’s economy and critical infrastructure, exploitation could have cascading effects on operational continuity and safety.

Organizations should immediately audit administrator access to TwinCAT.HMI.Server instances and restrict admin privileges to trusted personnel only. Implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Monitor and log administrative activities for suspicious behavior. Until an official patch is released by Beckhoff Automation, consider disabling or restricting the use of custom CSS fields in the HMI server configuration. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the HMI interface. Regularly update and patch all industrial control system components as vendor updates become available. Conduct security awareness training for administrators to recognize and prevent injection of malicious content. Finally, segment industrial networks to limit exposure of HMI servers to untrusted networks and reduce lateral movement opportunities.