AVEVA InduSoft Web Studio and InTouch Edge HMI

Act Now9.8ICS-CERT ICSA-19-036-01Feb 5, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

These vulnerabilities in AVEVA InduSoft Web Studio and InTouch Edge HMI stem from improper handling of database connection configuration files. A remote attacker can craft a malicious configuration file that, when processed by the vulnerable application, executes arbitrary code. The vulnerabilities are tracked under CWE-99 (Improper Control of Resource Identifiers) and CWE-306 (Missing Authentication for Critical Function).

What this means

What could happen

An attacker could execute arbitrary commands on systems running vulnerable InduSoft Web Studio or InTouch Edge HMI by crafting a malicious database connection file, potentially taking full control of the HMI and altering production setpoints, halting processes, or corrupting plant data.

Who's at risk

Manufacturing facilities using AVEVA InduSoft Web Studio or InTouch Edge HMI for process visualization and control. This affects operators managing critical production equipment, batch processes, and data acquisition systems that depend on these HMI platforms.

How it could be exploited

An attacker with network access to the HMI system can upload or inject a specially crafted database connection configuration file. When the HMI application processes this file, it executes arbitrary code with the privileges of the application process. No user interaction or credentials are required.

Prerequisites

Network access to the HMI device or workstation running InduSoft Web Studio or InTouch Edge HMI
Ability to place or influence a malicious database connection configuration file on the target system or network path

remotely exploitableno authentication requiredlow complexityhigh EPSS score (36.9%)affects HMI/visualization systems

Exploitability

High exploit probability (EPSS 36.9%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

InduSoft Web Studio: prior to< 8.1 SP38.1 SP3 or later

InTouch Edge HMI (formerly InTouch Machine Edition): prior to< 20172017 or later

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to HMI systems and workstations running these products using firewall rules; only allow database connections from trusted, validated sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade InduSoft Web Studio to version 8.1 SP3 or later

HOTFIXUpgrade InTouch Edge HMI to version 2017 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate HMI devices from untrusted networks and internet-facing systems

HARDENINGMonitor and validate all database connection configuration files before they are used by HMI applications

CVEs (2)

CVE-2019-6545 CVE-2019-6543

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c99718f6-8cd6-40bd-a015-57ca37b82036