CVE-2025-41768

Summary

An high privileged remote attacker can inject arbitrary content into the custom CSS field on the affected devices due to improper neutralization of input during web page generation ('Cross-site Scripting').

Affected Software

VendorProductVersion RangeStatus
Beckhoff AutomationTwinCAT.HMI.Server0.0.0 < 14.4.267affected
Beckhoff AutomationTF2000-HMI-Server0.0.0 < 14.4.267affected
Beckhoff Automationtf2000-hmi-server0.0.0 < 14.4.267affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References