CVE-2025-13970 HIGH

CVE-2025-13970: OpenPLC_V3 Cross-Site Request Forgery

Vendor Openplc_V3
Product OpenPLC_V3
Weakness CWE-352 · CSRF
Published December 13, 2025
Last update December 15, 2025

CVSS base score

8.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H

What the vulnerability does

01Description

OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems.

Key dates

02Disclosure timeline

December 13, 2025 CVE published
December 15, 2025 Record updated