Affected Siemens industrial control devices fail to validate and sanitize the Technology Object name displayed on the Motion Control Diagnostics web page. An attacker who can log in and download a TIA project can inject malicious scripts into that page. When a legitimate user with the same access rights views the page, the embedded code executes within their browser session, potentially allowing the attacker to run arbitrary client‑side scripts and perform actions on behalf of the user.

Version information is not provided, but the vulnerability affects a broad set of Siemens programmable logic controller families, including SIMATIC Drive Controller CPUs (1504D TF, 1507D TF), numerous SIMATIC ET 200SP models (1510SP‑1, 1512SP‑1, 1514SP‑2, etc.), and the SIMATIC S7‑1500 CPU line (1511, 1512, 1513, 1515, 1516, 1517, 1518 variants). Software controllers and the PLCSIM Advanced environment are also impacted. All affected devices expose the Motion Control Diagnostics page in their web interface.

The CVSS score of 9.3 indicates critical severity. The attack vector is authenticated via the web interface; the threat requires the attacker to possess credentials that allow project download, which is typically granted to privileged engineering users. Because the injected script runs in the victim’s browser session, it can lead to arbitrary code execution, credential theft, or further compromise of the network. EPSS data is unavailable, and the vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog, but the high score and potential for widespread exposure demand immediate action.