Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-13790

CVE-2025-13790: Scada-LTS CSRF Vulnerability

CVE-2025-13790 is a cross-site request forgery flaw in Scada-LTS up to version 2.7.8.1 that enables remote attackers to perform unauthorized actions. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-13790 Overview

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Scada-LTS, an open-source SCADA (Supervisory Control and Data Acquisition) system, affecting versions up to 2.7.8.1. The vulnerability impacts an unspecified function within the application, allowing remote attackers to potentially execute unauthorized actions on behalf of authenticated users. The exploit has been publicly disclosed and proof-of-concept code is available, increasing the risk of exploitation in the wild.

Critical Impact

This CSRF vulnerability in Scada-LTS could allow attackers to manipulate industrial control system configurations through forged requests, potentially compromising critical infrastructure operations.

Affected Products

  • Scada-LTS versions up to and including 2.7.8.1
  • Scada-LTS open-source SCADA platform installations
  • Industrial control systems utilizing Scada-LTS for monitoring and management

Discovery Timeline

  • November 30, 2025 - CVE-2025-13790 published to NVD
  • December 4, 2025 - Last updated in NVD database

Technical Details for CVE-2025-13790

Vulnerability Analysis

This vulnerability is classified as CWE-352 (Cross-Site Request Forgery), which occurs when a web application fails to properly verify that requests originate from the authenticated user's intentional actions. In the context of Scada-LTS, this flaw allows attackers to craft malicious web pages that, when visited by an authenticated administrator, can trigger unauthorized state-changing operations within the SCADA system.

The vulnerability is particularly concerning in industrial control system environments where Scada-LTS is deployed. SCADA systems are used to monitor and control industrial processes, and unauthorized modifications could have significant operational and safety implications. The absence of proper anti-CSRF tokens or same-origin policy enforcement enables this attack vector.

Root Cause

The root cause of this vulnerability lies in the absence or improper implementation of CSRF protection mechanisms within the affected Scada-LTS functionality. Web applications must validate that state-changing requests include a unique, unpredictable token that confirms the request originated from the application's own forms rather than a malicious third-party site. The lack of such validation in Scada-LTS allows forged cross-origin requests to be processed as legitimate.

Attack Vector

The attack requires user interaction where an authenticated Scada-LTS user must be tricked into visiting a malicious website or clicking a crafted link. The attacker can host a malicious HTML page containing hidden forms or JavaScript that automatically submits requests to the vulnerable Scada-LTS endpoints. When the victim visits this page while logged into Scada-LTS, their browser automatically includes authentication cookies, causing the forged request to be executed with the victim's privileges.

The vulnerability can be exploited remotely via network access, requiring no prior authentication to the target system by the attacker. However, successful exploitation depends on social engineering to lure authenticated users to attacker-controlled content. For detailed technical information about the exploitation mechanism, see the GitHub Report on CSRF and the GitHub PoC for CSRF.

Detection Methods for CVE-2025-13790

Indicators of Compromise

  • Unexpected configuration changes in Scada-LTS without corresponding administrator activity logs
  • Unusual HTTP POST requests to Scada-LTS endpoints originating from external referrers
  • Authentication session activity patterns showing requests from multiple IP addresses or unusual geographic locations
  • Web server access logs containing state-changing requests with suspicious or absent Referer headers

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block requests with missing or external Referer headers to sensitive endpoints
  • Monitor Scada-LTS audit logs for configuration changes that do not correlate with legitimate administrative sessions
  • Deploy network intrusion detection signatures to identify potential CSRF exploitation attempts targeting known vulnerable endpoints
  • Enable detailed HTTP request logging and analyze for patterns indicative of cross-site request forgery attacks

Monitoring Recommendations

  • Establish baseline behavior for administrative operations in Scada-LTS and alert on deviations
  • Configure SIEM correlation rules to detect requests to Scada-LTS from unusual source networks while authenticated sessions are active
  • Monitor for rapid succession of state-changing requests that may indicate automated CSRF exploitation
  • Review and audit all configuration changes in Scada-LTS on a regular basis to identify unauthorized modifications

How to Mitigate CVE-2025-13790

Immediate Actions Required

  • Restrict network access to Scada-LTS administrative interfaces to trusted networks only using firewall rules
  • Implement additional authentication layers such as VPN or multi-factor authentication for accessing the Scada-LTS management interface
  • Educate administrators about the risks of visiting untrusted websites while authenticated to sensitive systems
  • Review recent configuration changes in Scada-LTS for any unauthorized modifications

Patch Information

As of the last update, the vendor (Scada-LTS) was contacted about this disclosure but did not respond. Users should monitor the official Scada-LTS project for security updates. In the absence of a vendor patch, implementing the workarounds and additional security controls described below is strongly recommended. Check VulDB #333794 for updated information regarding patches and mitigation guidance.

Workarounds

  • Deploy a reverse proxy or web application firewall (WAF) in front of Scada-LTS to validate Referer and Origin headers on state-changing requests
  • Implement network segmentation to isolate Scada-LTS from general user browsing networks
  • Configure browser security settings for administrators to block third-party cookies and enable strict same-site cookie policies
  • Use dedicated administrative workstations that do not browse external websites for accessing Scada-LTS
bash
# Example: Restrict access to Scada-LTS using iptables
# Allow only trusted management network (e.g., 10.0.1.0/24)
iptables -A INPUT -p tcp --dport 8080 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne