AVEVA InTouch

Monitor6.6ICS-CERT ICSA-21-159-03Jun 8, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

AVEVA InTouch versions 2020 R2 and earlier contain a credential storage vulnerability (CWE-316) that allows local users with valid unprivileged credentials to extract plaintext usernames and passwords from InTouch Runtime through interactive user action. This vulnerability is not remotely exploitable. Successful exploitation could expose operator credentials, potentially allowing unauthorized access to the HMI system and control of industrial processes.

What this means

What could happen

An attacker with local access and valid user credentials could extract plaintext usernames and passwords stored in InTouch Runtime, potentially granting access to the HMI system and downstream industrial processes.

Who's at risk

AVEVA InTouch users operating HMI (human-machine interface) systems in water, electric, and manufacturing environments should prioritize this fix. InTouch is widely used in municipal utilities and industrial facilities to control and monitor processes. Any operator workstation or engineering station running InTouch 2020 R2 or earlier is at risk if accessed by unauthorized local users.

How it could be exploited

An attacker must have local access to a system running InTouch Runtime and valid unprivileged user credentials to trigger the vulnerability through interactive user action (local UI interaction required). Once exploited, stored credentials are exposed in cleartext, enabling the attacker to impersonate legitimate operators.

Prerequisites

Local access to the InTouch workstation or server
Valid unprivileged user account credentials
Interactive user action (UI interaction with the application)
InTouch 2020 R2 or earlier version installed

local access requireduser interaction requiredno patch available for versions prior to 2020 R2affects HMI/operator access controlcleartext credential exposure

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

InTouch: 2020 R2 and all prior versions≤ 2020 R2No fix yet

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGRestrict physical and remote access to InTouch systems to authorized personnel only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate InTouch 2020 R2 to patch P01 (InTouch 2020 R2 P01)

HOTFIXUpdate InTouch 2020 to Security Update 1216934

HOTFIXUpdate InTouch 2017 U3 SP1 P01 to Security Update 1216933

Long-term hardening

0/2

HARDENINGEnforce least-privilege user accounts on InTouch systems—grant operators only the permissions they need for their role

HARDENINGIsolate InTouch workstations and servers from the business network using firewalls and air-gap or network segmentation where feasible

CVEs (1)

CVE-2021-32942

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/23bb2e4b-9024-489c-a0fa-699eec04d5af