OTPulse

AVEVA InduSoft Web Studio and InTouch Edge HMI

MonitorCVSS 6.5ICS-CERT ICSA-19-078-01Mar 19, 2019
AVEVAManufacturing
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary

This vulnerability in AVEVA InduSoft Web Studio (versions before 8.1 SP3) and InTouch Edge HMI (versions before 2017 Update 3) allows execution of unauthorized code or commands. The vulnerability is triggered through user interaction on the local system and requires high privilege access. Successful exploitation could allow an attacker to run arbitrary code with system-level privileges, potentially compromising process visualization, operator interfaces, and automation logic. The vulnerability is not remotely exploitable and no known public exploits exist.

What this means
What could happen
An attacker with local access and elevated privileges on an HMI system could execute unauthorized code, potentially altering process parameters, operator screens, or system logic that controls manufacturing equipment or infrastructure.
Who's at risk
Manufacturing plants and process facilities that use AVEVA InduSoft Web Studio or InTouch Edge HMI for process visualization and control should assess their exposure. This specifically impacts organizations running older versions (InduSoft Web Studio before v8.1 SP3 or InTouch Edge HMI before 2017 Update 3) in environments where engineering staff or operators may interact with untrusted files.
How it could be exploited
An attacker with local administrative/engineering access to an InduSoft Web Studio or InTouch Edge HMI system could exploit this vulnerability (likely through a malicious runtime or project file) to execute arbitrary code with system privileges. The vulnerability is triggered during user interaction (UI), so the attacker needs to trick an authorized operator or engineer into opening or running a malicious component.
Prerequisites
  • Local access to the HMI workstation or engineering station
  • High privilege account (administrator or engineering credentials) on the system
  • User interaction required (operator or engineer must open or execute a malicious file or component)
Local access required (not remotely exploitable)Requires high privileges (administrator or engineering account)Requires user interactionNo patch available for some versions (end-of-life products)
Exploitability
Unlikely to be exploited — EPSS score 0.7%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
InduSoft Web Studio:< 8.1 SP38.1 SP3
InTouch Edge HMI:< 2017 Update 32017 Update 3
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDIf immediate upgrade is not possible, apply Security Update LFSec131 as an interim mitigation
HARDENINGRestrict local and remote access to HMI workstations and engineering stations to authorized personnel only
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade InduSoft Web Studio to version 8.1 SP3 or later
HOTFIXUpgrade InTouch Edge HMI to 2017 Update 3 or later
HARDENINGRequire multi-factor authentication or strong access controls for engineering and administrative access to HMI systems
Long-term hardening
0/1
HARDENINGIsolate HMI and engineering networks from the business network using firewalls and network segmentation
View full CISA ICS-CERT advisory
API: /api/v1/advisories/28073085-fc8d-4e0c-8103-feb006d43514

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

AVEVA InduSoft Web Studio and InTouch Edge HMI | CVSS 6.5 - OTPulse