CVE-2025-13970

OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack 
due to the absence of proper CSRF validation. This issue allows an 
unauthenticated attacker to trick a logged-in administrator into 
visiting a maliciously crafted link, potentially enabling unauthorized 
modification of PLC settings or the upload of malicious programs which 
could lead to significant disruption or damage to connected systems.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H
icscertCNA
8 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-345-10.json
https://github.com/thiagoralves/OpenPLC_v3
https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10