pull request #310
CVE-2025-13970 describes a cross-site request forgery (CSRF) vulnerability affecting OpenPLC_V3. This flaw allows an attacker to exploit logged-in administrators by crafting malicious links, leading to unauthorized actions. The vulnerability impacts versions prior to pull request #310, and a fix is available in pull request #310.
The CSRF vulnerability in OpenPLC_V3 poses a significant risk to systems relying on PLC automation. An attacker can leverage this flaw to trick an authenticated administrator into performing actions they did not intend. This could involve modifying PLC settings, uploading malicious programs, or executing arbitrary commands within the PLC environment. Successful exploitation could lead to disruption of industrial processes, damage to equipment, or even safety hazards, depending on the PLC's role in the system. The potential impact is amplified if the PLC controls critical infrastructure or safety-critical functions.
CVE-2025-13970 was publicly disclosed on 2025-12-13. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation, but the HIGH CVSS score suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing OpenPLC_V3 in industrial automation, particularly those with remote access to PLC configuration interfaces, are at risk. Legacy deployments with weak authentication practices or shared hosting environments are especially vulnerable.
disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-13970 is to upgrade OpenPLC_V3 to the version incorporating pull request #310, which includes the necessary CSRF validation. If immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting access to PLC configuration interfaces, enforcing multi-factor authentication for administrative accounts, and carefully scrutinizing any links received via email or other external sources. Implementing a Web Application Firewall (WAF) with CSRF protection rules can also provide an additional layer of defense. After upgrading, confirm the fix by attempting to trigger a PLC configuration change via a crafted URL; the request should be rejected due to CSRF protection.
将 OpenPLC_V3 更新到 pull request #310 之后的版本。这通过实施适当的 CSRF 验证来修复 CSRF 漏洞。请参阅 GitHub 上的 OpenPLC_V3 仓库以获取最新版本和更新说明。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13970 is a cross-site request forgery (CSRF) vulnerability in OpenPLC_V3, allowing attackers to trick administrators into unauthorized actions.
You are affected if you are using OpenPLC_V3 prior to pull request #310.
Upgrade to the version incorporating pull request #310 to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
No active exploitation has been confirmed at this time, but the HIGH CVSS score warrants caution.
Refer to the OpenPLC project's official communication channels and repositories for the latest advisory regarding CVE-2025-13970.