AVEVA InTouch Access Anywhere

Act NowCVSS 6.1ICS-CERT ICSA-18-212-04Jul 31, 2018

AVEVA

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

InTouch Access Anywhere versions 2017 Update 2 and earlier are vulnerable to stored or reflected cross-site scripting (XSS) attacks via CWE-79. Successful exploitation allows attackers to inject and execute arbitrary JavaScript or HTML code in a user's browser session, enabling theft of sensitive information such as credentials or process data, and potentially allowing unauthorized commands to be executed on connected control systems. The vulnerability is triggered by user interaction (clicking a malicious link) but requires no special authentication from the attacker's side.

What this means

What could happen

An attacker could inject malicious JavaScript or HTML code into InTouch Access Anywhere, potentially stealing login credentials or process data from engineering staff, or tricking operators into executing unauthorized actions on connected control systems.

Who's at risk

Organizations running AVEVA InTouch Access Anywhere 2017 Update 2 or earlier are at risk. This affects remote access for engineering staff and operators who use InTouch to monitor and control industrial processes in water, electric, and manufacturing facilities. Anyone relying on this platform for remote troubleshooting, process monitoring, or setpoint adjustment should prioritize patching.

How it could be exploited

An attacker crafts a malicious URL or webpage containing JavaScript/HTML code and tricks a user (via email or social engineering) into clicking the link while logged into InTouch Access Anywhere. The injected code executes in the user's browser and gains access to the application, allowing theft of session tokens or execution of commands on behalf of the logged-in user.

Prerequisites

User must click a malicious link or visit an attacker-controlled webpage while an authenticated InTouch Access Anywhere session is active
No special network access required; attack is web-based and works over the internet

remotely exploitableno authentication required for the malicious link itself (though InTouch session required)user interaction required (clicking link)high EPSS score (27.2%)affects remote access to control systems

Exploitability

Likely to be exploited — EPSS score 25.6%

Public Proof-of-Concept (PoC) on GitHub (4 repositories)

Affected products (2)

1 with fix1 pending

ProductAffected VersionsFix Status

Vulnerable< 3.0.0No fix yet

InTouch Access Anywhere: 2017 Update 2 and prior≤ 2017 Update 22017 Update 2b+

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict internet access to InTouch Access Anywhere—place it behind a firewall and do not expose to the internet directly

HARDENINGRequire users to access InTouch Access Anywhere only through a VPN when remote access is necessary; keep VPN software current

WORKAROUNDEducate engineering and operations staff to avoid clicking links in unsolicited emails and to verify URLs before logging into access platforms

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate InTouch Access Anywhere to version 2017 Update 2b or later

CVEs (1)

CVE-2015-9251

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c61020cf-cb15-446e-a96c-8a6112c0f898

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.