Improper Neutralization in Multiple Products

Monitor5.4SEVD-2026-069-02Mar 10, 2026

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

A cross-site scripting (XSS) vulnerability in Modicon Controllers M241, M251, M258, and LMC058 allows an attacker to inject malicious scripts into the controller's web interface or trigger an open redirect. This could lead to account takeover or arbitrary code execution in a user's browser when an authenticated user visits a malicious link or page while logged into the controller's interface.

What this means

What could happen

An attacker could trick an operator or engineer into executing malicious code in their browser, potentially compromising their engineering workstation credentials or hijacking their session to modify controller logic and process parameters.

Who's at risk

This vulnerability affects Schneider Electric Modicon M241, M251, M258, and LMC058 programmable logic controllers (PLCs) used in energy generation, distribution, and manufacturing automation systems. Anyone operating or configuring these controllers, especially engineering staff using EcoStruxure™ Machine Expert, should be concerned. The risk is highest for M258 and LMC058 users, as these products will never receive a patch.

How it could be exploited

An attacker crafts a malicious link containing XSS payload or an open redirect and sends it to an authorized user (operator or engineer). When the user clicks the link while authenticated to the Modicon controller's web interface, the script executes in their browser, allowing the attacker to steal session tokens, credentials, or modify the controller configuration.

Prerequisites

<parameter name="item">Valid credentials to access the controller's web interface

<parameter name="item">No authentication required for some attack vectors (open redirect)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

2 with fix2 pending

ProductAffected VersionsFix Status

Modicon Controllers M241< 5.4.13.125.4.13.12

Modicon Controllers M251< 5.4.13.125.4.13.12

Modicon Controllers M258All versionsNo fix yet

Modicon Controllers LMC058All versionsNo fix yet

Remediation & Mitigation

Modicon Controller M241 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/ Update Modicon Controller M241 to the latest Firmware and perform reboot. For instructions refer to Modicon M241 Logic Controller, Programming Guide: https://www.se.com/ww/en/download/document/EIO0000003059/ Modicon Controller M251 Firmware version 5.4.13.12 delivered with EcoStruxure™ Machine Expert v2.5.0.1 includes a fix for this vulnerability and can be installed through Schneider Electric Software Installer available here: https://www.se.com/ww/en/download/document/ESEMACS10_INSTALLER/ On the engineering workstation install v2.5.0.1 of EcoStruxure™ Machine Expert. For help refer to Schneider Electric Software Installer User Guide available here: https://www.se.com/ww/en/download/document/EIO0000005500/ Update Modicon Controller M251 to the latest Firmware and perform reboot. For instructions refer to Modicon M251 Logic Controller, Programming Guide: https://www.se.com/us/en/download/document/EIO0000003089/

CVEs (1)

CVE-2025-13902

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0fee7f29-9c74-433b-a256-79996bcd3eac