Text LogoText Logo
back to the list
Date
11/03/2025
Impact
Medium
CVE IDs
CVE-2025-7746

Reflected Cross-Site Scripting (XSS) in Schneider Electric ATV630

The Schneider Electric ATV630 is vulnerable to a reflected cross-site scripting (XSS) vulnerability. This flaw allows attackers to inject malicious scripts that are executed in the context of a user’s browser session.

Vendor description

„Schneider’s purpose is to create Impact by empowering all to make the most of our energy and resources, bridging progress and sustainability. At Schneider,
we call this Life Is On. Our mission is to be the trusted partner in Sustainability and Efficiency. […]

Source: https://www.se.com/ww/en/about-us/company-profile/

 

Vulnerable versions

ATV630

  • app V3.4IE35
  • eth V1.FIE26
  • cpld V0.0IE16
  • pwr V1.3IE08
  • mc V3.4IE35
  • product v3.4IE35

See also the security notification from Schneider Electric: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-252-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-252-01.pdf

Vulnerability overview

1) Authenticated Remote Code Execution (CVE-2024-9154)
A Reflected Cross-Site Scripting vulnerability was identified in the web interface of the device. The ClientNonce parameter can be abused to inject JavaScript code. An attacker can exploit this vulnerability by luring a victim to visit a malicious website. Furthermore, it is possible to hijack the session of the attacked user.

Proof of Concept

1) Reflected Cross-Site Scripting (CVE-2025-7746)

During the logon process a ClientNonce can be specified to trigger a cross-site scripting vulnerability. The following response to the server contains script code to demonstrate this problem:

GET /<redacted-patch-is-missing> HTTP/1.1
Host: 172.21.241.60
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Origin: http://172.21.241.60
Connection: close
Referer: http://172.21.241.60/
Cookie: 20c7ac82=1

The webserver of the device responds without filtering the payload. Therefore, the script code gets executed:

HTTP/1.1 200 OK
Date: Fri, 09 Jan 1970 22:53:45 GMT
Server: Document not found
Connection: Close
Content-Type: text/html; charset=utf-8
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Set-Cookie: z9ZAqJtI=93f19ed6000bcdf9; path=/
r="<redacted-patch-is-missing>5r3e4AVzTY+Fkc5aEaga5CRsIC8eOUUux/Al36Ffr7U=,s=4fcb2dd77ee4bc4e1d9066e371c2034d1b55e07d28b9474e692c3f3531992b17,i=4096

This vulnerability can be triggered via GET and POST requests.

Solution

None. A firmware update will be published by Schneider Electric.

Workaround

Restrict network access to management interface.

Recommendation

A full security review is recommended by CyberDanube.

Contact Timeline

  • 2025-03-11: Contacting Schneider Electric PSIRT and sent advisory via PGP.
  • 2025-03-12: Received case tracking number from Schneider Electric PSIRT.
  • 2025-04-10: Asking for an update.
  • 2025-04-14: Vendor confirmed the vulnerability.
  • 2025-05-21: Asking for an update.
  • 2025-05-22: Vendor targets to publish an update on 9th of September. Set
    disclosure date to 2025-09-09.
  • 2025-06-23: Asking for an update; Vendor responded that they will notify us if
    an ealier publication is planned.
  • 2025-09-02: PSIRT informed us that the patch cannot be delivered on 9th of
    September. Re-send advisory to sync about published information.
  • 2025-09-04: Redacted XSS PoC code in the advisory has been redacted upon
    request from PSIRT.
  • 2025-09-09: Coordinated release of security advisory.

Author(s)

David Blagojevic Portrait

David Blagojevic

David Blagojevic is a Security Researcher at CyberDanube. He is currently engaged in research activities within the fields of firmware emulation and firmware analysis, where he is contributing to the development and advancement of the MEDUSA Firmware Emulation Framework.

Thomas Weber Portrait

Thomas Weber

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.