Summary
An optional package of the TwinCAT 3 XAR installs the TwinCAT 3 HMI Server on a device. It provides a server configuration page which can be accessed by administrative users only. When such an administrator accesses the server configuration page it is possible to upload arbitrary content into the CUSTOM_CSS field which is then persisted on the device and later returned and rendered with each login and error page.
Please note that administrators have the access rights to modify any content on the HMI server, for example, via the server configuration page. Therefore, administrators would have to act maliciously to exploit this vulnerability.
Impact
On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| TF2000-HMI-Server OS software package for TwinCAT/BSD <14.4.267 | TF2000-HMI-Server OS software package for TwinCAT/BSD <14.4.267 | |
| TwinCAT.HMI.Server tcpkg package <14.4.267 | TwinCAT.HMI.Server tcpkg package <14.4.267 | |
| tf2000-hmi-server OS software package for Beckhoff RT Linux(R) on ARM64 <14.4.267 | tf2000-hmi-server OS software package for Beckhoff RT Linux(R) on ARM64 <14.4.267 | |
| tf2000-hmi-server for Beckhoff RT Linux(R) on AMD64 <14.4.267 | tf2000-hmi-server for Beckhoff RT Linux(R) on AMD64 <14.4.267 |
Vulnerabilities
Expand / Collapse allRemediation
Please update to a recent version of the affected components.
Acknowledgments
Beckhoff Automation GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- Roby Firnando Yusuf from Jeonbuk National University for Reported by (see https://www.jbnu.ac.kr/ )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 12/10/2025 11:00 | Initial revision |