High8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

PT-2025-88: Cross‑site scripting and open redirect in Fastwel PLC web interface

Error type:

  • CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-601:URL Redirection to Untrusted Site ('Open Redirect')

Vulnerability vector:

  • Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • Severity (CVSSv4.0): 8.6 (High)

Description:

The vulnerability was identified in Fastwel programmable controllers, versions 3.4.5.0 (CPM810-03), 3.4.9.1 (СPM723-01).

The discovered vulnerability stems from the lack of user input filtering in the redirect parameter. Exploitation of the vulnerability allows a remote attacker to execute arbitrary JavaScript code in an authenticated user's browser by spoofing the URL scheme.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 10.09.2025

Recommendations:

Update to versions:

  • CPM723-01 3.4.9.5
  • CPM810-03 3.4.5.1

Additional information: 

Researcher: Maksim Gruzin (Positive Technologies)

Identifiers:

BDU:2025-11171

Vendor:

Fastwel

Vulnerable product:

CPM810-03, СPM723-01

Vulnerable versions:

3.4.5.0 (CPM810-03), 3.4.9.1 (СPM723-01)