Beckhoff: XSS Vulnerability in TwinCAT 3 HMI Server
MonitorCVSS 5.5VDE-2025-106Jan 26, 2026
BeckhoffManufacturing
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
A Cross-Site Scripting (XSS) vulnerability exists in TwinCAT 3 HMI Server that allows administrators to upload arbitrary content into the CUSTOM_CSS field via the server configuration page. This malicious content is persisted on the device and executed when rendered on login and error pages. The vulnerability requires administrator access and malicious intent to exploit.
What this means
What could happen
An administrator could inject malicious JavaScript code that executes in the browser of other users accessing the HMI Server login or error pages, potentially stealing credentials or redirecting users to malicious sites. This could disrupt visibility into plant operations or compromise access to control interfaces.
Who's at risk
Manufacturing organizations running TwinCAT 3 automation software with the optional HMI Server component are affected. Specifically, operators and administrators who access the HMI Server web interface for remote monitoring or control are at risk if an administrator has been compromised or acts maliciously.
How it could be exploited
An attacker with administrative credentials accesses the TwinCAT 3 HMI Server configuration page and injects malicious JavaScript into the CUSTOM_CSS field. When other users (operators or additional administrators) visit the login page or encounter an error page, the JavaScript executes in their browser, allowing credential theft or further compromise of the HMI interface.
Prerequisites
- Administrative access to the TwinCAT 3 HMI Server configuration interface
- TwinCAT.HMI.Server package version below 14.4.267, or TF2000-HMI-Server OS package below 14.4.267 on affected platforms
Low complexity attackRequires administrative credentials (insider threat)Affects access control interface (HMI)XSS can lead to credential theft or account takeover
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (4)
2 with fix2 pending
ProductAffected VersionsFix Status
TwinCAT.HMI.Server tcpkg package <14.4.267< 14.4.267vers:npm/14.4.267
TF2000-HMI-Server OS software package for TwinCAT/BSD <14.4.267< 14.4.26714.4.267
tf2000-hmi-server OS software package for Beckhoff RT Linux(R) on ARM64 <14.4.267< 14.4.267No fix yet
tf2000-hmi-server for Beckhoff RT Linux(R) on AMD64 <14.4.267< 14.4.267No fix yet
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict access to the HMI Server configuration page to a minimal set of trusted administrative accounts
WORKAROUNDMonitor and audit administrative access logs to the HMI Server configuration interface for unauthorized changes
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate TwinCAT.HMI.Server tcpkg package to version 14.4.267 or later
HOTFIXUpdate TF2000-HMI-Server OS software package on TwinCAT/BSD systems to version 14.4.267 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/93ae594c-d332-4964-bb51-5d5b9f46e962Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.