CVE-2026-25789

Vulnerability

CVE-2026-25789, affecting Siemens SIMATIC Drive Controller and ET 200SP Open Controller families, originates from insufficient validation and sanitization of filenames on the Firmware Update page. An attacker can craft a malicious filename containing JavaScript code, which is not properly escaped before being presented to the user [1].

Exploitation requires social engineering: a remote attacker persuades an authenticated user to select the specially crafted firmware file from the upload dialog. Critically, the malicious script executes even if the file is the file is not actually uploaded – simply selecting the file triggers the payload via reflected or stored content [1]. No authentication bypass or network-level access beyond the application itself is needed; the attacker relies on tricking a user who already has a valid session.

Successful exploitation would result in JavaScript execution within the security context of the authenticated user’s browser session. This could enable arbitrary actions such as session hijacking, credential theft, or unintended firmware operations, effectively compromising the integrity of the device and any connected systems [1].

Siemens has released security advisories (SSA-688146) with product-specific remediation guidance. Users should apply firmware updates in line with vendor instructions and enforce user awareness training to reduce the likelihood of social engineering attacks [1].