CVE-2025-41768

Vulnerability

Overview

The TwinCAT 3 HMI Server, an optional component of the TwinCAT 3 XAR package, contains a stored cross-site scripting (XSS) vulnerability in its server configuration page. The custom CSS field does not properly neutralize user input, allowing an authenticated administrator to inject arbitrary web content [1]. This content is persisted on the device and rendered on every login and error page [1].

Exploitation

Conditions

Exploitation requires high-privileged access; only administrative users can reach the server configuration page where the custom CSS field is located [1]. The attacker must be authenticated and have the ability to modify server settings. The injected payload is stored server-side and served to all users viewing the login or error pages, making it a stored XSS attack [1].

Impact

An attacker who successfully injects malicious content can execute arbitrary scripts in the context of other users' sessions when they access the affected pages. This could lead to session hijacking, credential theft, or further compromise of the HMI server [1]. The vendor notes that administrators already have broad access rights, so exploitation would require malicious intent from an administrator [1].

Mitigation

Beckhoff has not released a patch as of the advisory date; the vulnerability is documented in VDE-2025-106 [1]. Organizations should restrict administrative access to the HMI server and monitor for unauthorized changes to the custom CSS field. No workaround is provided in the advisory.