Severity
Medium
Analysis Summary
CVE-2025-3117 CVSS:5.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists impacting configuration file paths that could cause an unvalidated data injected by authenticated malicious user leading to modify or read data in a victim’s browser.
CVE-2025-3116 CVSS:6.5
Improper Input Validation vulnerability exists that could cause Denial of Service when an authenticated malicious user sends special malformed HTTPS request containing improper formatted body data to the controller.
CVE-2025-3905 CVSS:5.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists impacting PLC system variables that could cause an unvalidated data injected by authenticated malicious user leading to modify or read data in a victim’s browser.
CVE-2025-3112 CVSS:7.1
Uncontrolled Resource Consumption vulnerability exists that could cause Denial of Service when an authenticated malicious user sends manipulated HTTPS Content-Length header to the webserver.
CVE-2025-3899 CVSS:5.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists in Certificates page on Webserver that could cause an unvalidated data injected by authenticated malicious user leading to modify or read data in a victim’s browser.
Impact
- Denial of Service
- Cross-Site Scripting
Indicators of Compromise
CVE
CVE-2025-3117
CVE-2025-3116
CVE-2025-3905
CVE-2025-3112
CVE-2025-3899
Affected Vendors
Affected Products
- Schneider Electric Modicon Controllers M241/M251 5.3.12.51
- Schneider Electric Modicon Controllers M262 5.3.9.18
- Schneider Electric Modicon Controllers M258 / LMC058
Remediation
Refer to Schneider Electric Security Advisory for patch, upgrade, or suggested workaround information.