Executive Summary

CVE-2026-25786 is a set of cross-site scripting flaws in the integrated web server of Siemens SIMATIC S7 PLCs that allows an attacker to inject and execute script in the browser session of an authenticated engineer or operator. At CVSS 9.1 the physical criticality is direct: script executed in a valid web session runs against the same controller that governs drives, safety logic, and process actuators on the plant floor.

Technical Exposure Breakdown

The vulnerable component is the web server embedded in the S7 controller firmware and related SIMATIC Drive Control family devices. This is not a standalone HMI application. It is the diagnostic and configuration surface that ships inside the PLC itself and is reachable over HTTP or HTTPS on the controller's own network interface.

Cross-site scripting in a PLC web server is materially worse than the same class of bug in an enterprise web application. The injected payload runs in the context of a session that already holds privileges to read controller diagnostics, view tag values, and in many configurations trigger web-facing control actions. An attacker who lands stored script into a field that is rendered back to a logged-in user, or who crafts a reflected link and gets an engineer to click it, inherits that engineer's authenticated context.

The preconditions are the standard failure state of most plant networks. The controller web server is enabled, it is reachable from an engineering workstation or an operator terminal, and the attacker has either a foothold on that segment or a way to deliver a malicious URL. On a flat OT VLAN with shared engineering laptops, both conditions are usually satisfied by default. The 9.1 rating reflects that XSS here is not an information leak. It is a session-borne path to interacting with a live controller.

OT Impact and Compliance Risk

What breaks physically depends on what the S7 controls. In a SIMATIC Drive Control deployment that is motor speed and torque on rotating equipment. In process lines it is valve position, dosing, and sequence logic. Session hijacking against the web server does not require the attacker to author ladder logic. It only requires that they ride an authenticated session to read state or issue web-exposed commands, which is enough to disrupt a controlled process.

For compliance, IEC 62443 zone and conduit requirements are the direct casualty. A PLC web server reachable from a general-purpose workstation violates the segmentation model 62443-3-3 assumes. NERC CIP asset owners must treat any exploitable S7 as a BES Cyber Asset exposure and account for it under CIP-007 patch management and CIP-005 electronic access controls. Pipeline operators under TSA SD-02C must map this against their required network segmentation and critical cyber system inventory. Water and wastewater utilities carrying S7 controllers should fold this into their AWIA 2018 risk and resilience assessment rather than treating it as an IT ticket.

Compensating Controls

Do not open an active scan against these controllers to confirm exposure. Probing PLC web servers with vulnerability scanners has bricked industrial components before, and an S7 mid-cycle is not a safe scan target. Use passive discovery and configuration review instead.

Siemens is staging fix versions across the affected family. Track which of your controllers have a released fix and which are still pending, and apply the network controls above for every unit that cannot be patched during the current maintenance window.

BreachSpider Intel

BreachSpider tracks CVE-2026-25786 fix availability and exploitation signals across the SIMATIC S7 estate so you can prioritize the controllers that actually sit in your process path.