CVE-2025-9138 Information

Aug 20, 2025 cve

Description

A vulnerability was found in Scada-LTS 2.7.8.1. Affected is an unknown function of the file pointHierarchy/new/. Performing manipulation of the argument Title results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor explains: [T]he risks of indicated vulnerabilities seem to be minimal as all scenarios likely require admin permissions. Moreover regardless our team fixes those vulnerabilities - the overall risk change to the user due to malicious admin actions will not be lower. An admin user - by definition - has full control over HTML and JS code that is delivered to users in regular synoptic panels. In other words - due to the design of the system it is not possible to limit the admin user to attack the users.\

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Reference

https://github.com/KarinaGante/KGSec/blob/main/CVEs/Scada-LTS/2.md https://github.com/KarinaGante/KGSec/blob/main/CVEs/Scada-LTS/2.md#poc https://vuldb.com/?ctiid.320518 https://vuldb.com/?id.320518 https://vuldb.com/?submit.620516

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

3.5

CNNVD-202508-2088 (Published: 2025-08-19)

Share on: