CVE-2025-7746

Vulnerability

Overview

CVE-2025-7746 is a reflected Cross-Site Scripting (XSS) vulnerability in Schneider Electric's ATV 630 variable speed drive's web interface. The flaw resides in improper neutralization of user-supplied input during web page generation (CWE-79). An attacker can inject arbitrary JavaScript or HTML code into a crafted URL, which is then executed in the context of the victim's browser when the link is visited [1].

Exploitation

The vulnerability is exploitable without authentication, as the attacker only needs to convince a user to click on a specially crafted link. The attacker does not need any prior network access to the device beyond normal web connectivity. The attack vector is network-based and requires user interaction, such as clicking a malicious link sent via email or other means [1].

Impact

Successful exploitation allows the attacker to modify or read data in the victim's browser, potentially including session tokens, page content, or performing actions on behalf of the victim within the web interface of the ATV 630. The CVSS base score is Medium, reflecting the need for user interaction and the typical limitations of reflected XSS [1].

Mitigation

As of the advisory publication date, no firmware fix is available for the ATV 630. The vendor, Schneider Electric, has acknowledged the issue and recommends users restrict network access to the device and follow general security best practices for industrial control systems. Users should monitor Schneider's security notification for future patches [1].