CVE-2025-54962
📋 TL;DR
This vulnerability allows authenticated users to upload arbitrary files (like .html or .svg) through the /edit-user endpoint in OpenPLC Runtime. These uploaded files become publicly accessible via the /static URI, potentially enabling malicious content distribution. All OpenPLC Runtime installations with affected versions are vulnerable.
💻 Affected Systems
- OpenPLC Runtime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious HTML/SVG files containing cross-site scripting payloads or phishing content, then redirect users to these files via /static URI to steal credentials or execute arbitrary scripts in victims' browsers.
Likely Case
Authenticated users upload malicious files to host phishing pages or distribute malware through the vulnerable OpenPLC instance, compromising other users who access the /static content.
If Mitigated
With proper authentication controls and file type validation, impact is limited to authorized users uploading benign files for legitimate purposes.
🎯 Exploit Status
Exploitation requires authenticated access to the OpenPLC web interface. The vulnerability is in the webserver's pages.py file at line 992 where file uploads lack validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 9cd8f1b (check for updates beyond 9cd8f1b53a50f9d38708096bfc72bcbb1ef47343)
Vendor Advisory: https://github.com/thiagoralves/OpenPLC_v3
Restart Required: No
Instructions:
1. Update OpenPLC Runtime to a version beyond commit 9cd8f1b. 2. Check the GitHub repository for the latest secure version. 3. Replace the vulnerable pages.py file with the patched version that includes proper file upload validation.
🔧 Temporary Workarounds
Restrict file upload types
allModify the webserver configuration to only allow specific safe file types for upload
Edit pages.py around line 992 to add file extension validation before processing uploads
Disable /edit-user endpoint
allTemporarily disable the vulnerable endpoint until patching is complete
Comment out or remove the /edit-user route handler in pages.py
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block malicious file uploads to /edit-user endpoint
- Restrict network access to OpenPLC web interface to trusted users only using firewall rules
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a test .html file via the /edit-user endpoint while authenticated, then try to access it via /static/[filename] without authentication.Check Version:
Check the OpenPLC version or git commit hash in the installation directoryVerify Fix Applied:
After patching, attempt the same file upload test - the upload should be rejected or the file should not be accessible via /static URI.📡 Detection & Monitoring
Log Indicators:
- Multiple file upload requests to /edit-user endpoint
- Access to unusual file types via /static URI
- Uploads of .html, .svg, or other executable file types
Network Indicators:
- HTTP POST requests to /edit-user with file uploads
- Subsequent HTTP GET requests to /static/[filename] patterns
SIEM Query:
source="openplc_logs" AND (uri_path="/edit-user" AND method="POST") OR (uri_path STARTSWITH "/static/" AND (file_extension=".html" OR file_extension=".svg"))