プラットフォーム
other
コンポーネント
openplc_v3
修正版
pull request #310
CVE-2025-13970 describes a cross-site request forgery (CSRF) vulnerability affecting OpenPLC_V3. This flaw allows an attacker to exploit logged-in administrators by crafting malicious links, leading to unauthorized actions. The vulnerability impacts versions prior to pull request #310, and a fix is available in pull request #310.
The CSRF vulnerability in OpenPLC_V3 poses a significant risk to systems relying on PLC automation. An attacker can leverage this flaw to trick an authenticated administrator into performing actions they did not intend. This could involve modifying PLC settings, uploading malicious programs, or executing arbitrary commands within the PLC environment. Successful exploitation could lead to disruption of industrial processes, damage to equipment, or even safety hazards, depending on the PLC's role in the system. The potential impact is amplified if the PLC controls critical infrastructure or safety-critical functions.
CVE-2025-13970 was publicly disclosed on 2025-12-13. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation, but the HIGH CVSS score suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing OpenPLC_V3 in industrial automation, particularly those with remote access to PLC configuration interfaces, are at risk. Legacy deployments with weak authentication practices or shared hosting environments are especially vulnerable.
disclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-13970 is to upgrade OpenPLC_V3 to the version incorporating pull request #310, which includes the necessary CSRF validation. If immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting access to PLC configuration interfaces, enforcing multi-factor authentication for administrative accounts, and carefully scrutinizing any links received via email or other external sources. Implementing a Web Application Firewall (WAF) with CSRF protection rules can also provide an additional layer of defense. After upgrading, confirm the fix by attempting to trigger a PLC configuration change via a crafted URL; the request should be rejected due to CSRF protection.
OpenPLC_V3 をプルリクエスト #310 後のバージョンにアップデートしてください。これにより、適切な CSRF 検証を実装することで CSRF 脆弱性が修正されます。最新バージョンとアップデート手順については、GitHub の OpenPLC_V3 リポジトリを参照してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-13970 is a cross-site request forgery (CSRF) vulnerability in OpenPLC_V3, allowing attackers to trick administrators into unauthorized actions.
You are affected if you are using OpenPLC_V3 prior to pull request #310.
Upgrade to the version incorporating pull request #310 to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
No active exploitation has been confirmed at this time, but the HIGH CVSS score warrants caution.
Refer to the OpenPLC project's official communication channels and repositories for the latest advisory regarding CVE-2025-13970.