CVE-2025-9404 is a cross-site scripting (XSS) vulnerability identified in Scada-LTS versions up to 2.7.8.1, specifically within the Folder Handler component at the /pointHierarchySLTS endpoint. The vulnerability arises from improper sanitization of the 'Title' argument, which allows an attacker to inject malicious scripts. This flaw can be exploited remotely without authentication, although user interaction is required to trigger the malicious payload. The vulnerability has a CVSS 4.0 base score of 4.8, indicating a medium severity level. The attack vector is network-based with low attack complexity, but it requires user interaction and privileges to execute. The impact primarily affects the integrity and confidentiality of the affected system by enabling script injection, which could lead to session hijacking, defacement, or redirection to malicious sites. No known exploits are currently observed in the wild, but public exploit code is available, increasing the risk of exploitation. The vulnerability does not affect availability and does not require privilege escalation or system compromise to be initiated, but it does require some level of user interaction to be successful.

For European organizations using Scada-LTS, particularly those in critical infrastructure sectors such as energy, water management, and industrial automation, this vulnerability poses a risk of unauthorized script execution within the management interface. Successful exploitation could lead to theft of session tokens, unauthorized commands, or manipulation of displayed data, undermining operational integrity and potentially causing misinformation or operational disruptions. Given the reliance on SCADA systems for essential services, even medium-severity vulnerabilities can have outsized impacts if leveraged in coordinated attacks. The remote exploitability increases the attack surface, especially if the affected endpoints are exposed to less secure network segments or the internet. The requirement for user interaction somewhat limits the attack scope but does not eliminate risk, especially in environments where operators may be targeted via phishing or social engineering. The absence of known active exploitation reduces immediate risk but should not lead to complacency, as public exploit availability facilitates rapid weaponization.

European organizations should prioritize the following mitigations: 1) Immediate upgrade to a patched version of Scada-LTS once available, or apply vendor-provided workarounds if patches are delayed. 2) Implement strict input validation and output encoding on all user-supplied data, especially the 'Title' parameter in the /pointHierarchySLTS endpoint, to prevent script injection. 3) Restrict access to the SCADA management interfaces to trusted networks and enforce strong network segmentation to limit exposure. 4) Employ web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the vulnerable endpoint. 5) Conduct user awareness training focusing on phishing and social engineering to reduce the risk of user interaction exploitation. 6) Monitor logs and network traffic for unusual activity related to the Folder Handler component or suspicious script execution attempts. 7) Consider implementing Content Security Policy (CSP) headers to mitigate the impact of injected scripts. These measures combined will reduce the likelihood and impact of exploitation beyond generic patching advice.