Description:
The OPC XML-DA server endpoint (/da) logs incoming SOAP requests and renders client metadata —including the User-Agent header — on the server statistics page at /webui/statistics/opc_srv without sanitization or output encoding.
An unauthenticated attacker can send a crafted OPC XML-DA SOAP request with a malicious User-Agent header containing arbitrary JavaScript. The payload is stored server-side and executed in the browser of any authenticated administrator who views the statistics page.
The issue has been reported as CVE-2026-12496.
Impact:
- Session hijacking
- Credential theft
- Device reconfig
The attack is particularly dangerous because it requires no authentication to inject the payload, and itpersists until the statistics log rotates or is cleared. Any administrator routine check of server statistics triggers execution.
Mitigation:
Upgrade to firmware version 8.4.18.

