AVEVA InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition)

Act Now9.8ICS-CERT ICSA-18-305-01Nov 1, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

InduSoft Web Studio and InTouch Edge HMI contain buffer overflow and insecure password handling vulnerabilities (CWE-121, CWE-258) that allow unauthenticated remote code execution. An attacker with network connectivity to the application can exploit these flaws to execute arbitrary commands with application privileges, potentially compromising the HMI/SCADA environment and the processes it controls. Both products require upgrade to patched versions; older versions will not receive security updates.

What this means

What could happen

An attacker with network access to your HMI or SCADA engineering workstation could run arbitrary code on it without credentials, potentially modifying process logic, altering setpoints, or disrupting production. This affects any operator interface or engineering station using these AVEVA products.

Who's at risk

Manufacturing plants using AVEVA InduSoft Web Studio or InTouch Edge HMI (formerly InTouch Machine Edition) as their primary HMI/SCADA engineering platform are affected. This includes any facility that uses these tools to develop, configure, or remotely monitor industrial processes—especially those with engineering workstations or operator consoles that are networked.

How it could be exploited

The attacker sends a malicious network request to the HMI or Web Studio application. Because there is no authentication check, the request is processed immediately. Successful exploitation allows the attacker to execute code with the privileges of the application, which typically include access to the engineering environment and live process data.

Prerequisites

Network access to the InduSoft Web Studio or InTouch Edge HMI service port
Vulnerable version running (InduSoft Web Studio prior to v8.1 SP2 or InTouch Edge HMI prior to 2017 SP2)
No authentication or special credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)no patch available for older versionsaffects control system engineering workstations

Exploitability

Moderate exploit probability (EPSS 9.8%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

InduSoft Web Studio:<8.1 SP2v8.1 SP2

InTouch Edge HMI (formerly InTouch Machine Edition):<2017 SP22017 SP2

Remediation & Mitigation

0/7

Do now

0/3

HARDENINGEnable encrypted communication channel and disable unencrypted channel in both products

HARDENINGSet a strong Master Project password in InduSoft Web Studio

HARDENINGSet strong passwords for all accounts, including the default Guest account in InTouch Edge HMI

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade InduSoft Web Studio to v8.1 SP2 or later

HOTFIXUpgrade InTouch Edge HMI to 2017 SP2 or later

Long-term hardening

0/2

HARDENINGRestrict network access to HMI and Web Studio systems—do not expose to the Internet; place behind firewalls and on isolated control network segments

HARDENINGIf remote access is required, use a VPN with current patches and strong authentication

CVEs (2)

CVE-2018-17916 CVE-2018-17914

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/56de01b4-1d13-4e8c-a452-30203f11ffc5