AVEVA InduSoft Web Studio and InTouch Edge HMI

Monitor6.5ICS-CERT ICSA-19-078-01Mar 19, 2019

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

This vulnerability in AVEVA InduSoft Web Studio (versions before 8.1 SP3) and InTouch Edge HMI (versions before 2017 Update 3) allows execution of unauthorized code or commands. The vulnerability is triggered through user interaction on the local system and requires high privilege access. Successful exploitation could allow an attacker to run arbitrary code with system-level privileges, potentially compromising process visualization, operator interfaces, and automation logic. The vulnerability is not remotely exploitable and no known public exploits exist.

What this means

What could happen

An attacker with local access and elevated privileges on an HMI system could execute unauthorized code, potentially altering process parameters, operator screens, or system logic that controls manufacturing equipment or infrastructure.

Who's at risk

Manufacturing plants and process facilities that use AVEVA InduSoft Web Studio or InTouch Edge HMI for process visualization and control should assess their exposure. This specifically impacts organizations running older versions (InduSoft Web Studio before v8.1 SP3 or InTouch Edge HMI before 2017 Update 3) in environments where engineering staff or operators may interact with untrusted files.

How it could be exploited

An attacker with local administrative/engineering access to an InduSoft Web Studio or InTouch Edge HMI system could exploit this vulnerability (likely through a malicious runtime or project file) to execute arbitrary code with system privileges. The vulnerability is triggered during user interaction (UI), so the attacker needs to trick an authorized operator or engineer into opening or running a malicious component.

Prerequisites

Local access to the HMI workstation or engineering station
High privilege account (administrator or engineering credentials) on the system
User interaction required (operator or engineer must open or execute a malicious file or component)

Local access required (not remotely exploitable)Requires high privileges (administrator or engineering account)Requires user interactionNo patch available for some versions (end-of-life products)

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

InduSoft Web Studio:< 8.1 SP38.1 SP3

InTouch Edge HMI:< 2017 Update 32017 Update 3

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDIf immediate upgrade is not possible, apply Security Update LFSec131 as an interim mitigation

HARDENINGRestrict local and remote access to HMI workstations and engineering stations to authorized personnel only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade InduSoft Web Studio to version 8.1 SP3 or later

HOTFIXUpgrade InTouch Edge HMI to 2017 Update 3 or later

HARDENINGRequire multi-factor authentication or strong access controls for engineering and administrative access to HMI systems

Long-term hardening

0/1

HARDENINGIsolate HMI and engineering networks from the business network using firewalls and network segmentation

CVEs (1)

CVE-2019-6534

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/28073085-fc8d-4e0c-8103-feb006d43514