Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-25787 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-25787 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-25787 is a stored or reflected cross-site scripting (XSS) vulnerability in the web interface of an industrial device, specifically within the "Motion Control Diagnostics" page, where Technology Object (TO) names are rendered without proper validation or sanitization.

Technical Detail

The flaw exists because the affected device's web interface fails to properly validate and sanitize user-controlled Technology Object (TO) name input before rendering it on the Motion Control Diagnostics page. An authenticated attacker can inject malicious script content into a TO name field, which is then executed in the browser context of other users who view the affected page. Depending on the application's session handling and privilege model, successful exploitation could lead to session hijacking, credential theft, unauthorized configuration changes, or further lateral movement within the industrial control environment.

Exploitation Status

No known exploit code has been publicly identified or confirmed as of May 19, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning there is no confirmed public proof-of-concept or evidence of active exploitation in the wild at this time.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns, targeted sectors, or adversary groups have been linked to this vulnerability. Given the industrial control system context, organizations in manufacturing, energy, and critical infrastructure sectors should treat this as a relevant risk profile even in the absence of confirmed targeting.

What To Do

Apply vendor-supplied patches as soon as they become available, prioritizing internet-facing or externally accessible instances of the affected web interface. In the interim, restrict access to the device's web management interface to trusted, internal network segments only, and enforce strong authentication controls to limit the pool of users who can interact with the Motion Control Diagnostics page. Monitor web interface access logs for anomalous input patterns or unexpected script-like strings in TO name fields. Given the CVSS score of 9.1, this should be treated as a high-priority remediation item even in the absence of active exploitation evidence.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →