AVEVA Edge 2020 R2 SP1 and all prior versions

MonitorCVSS 7.8ICS-CERT ICSA-22-249-02Sep 6, 2022

AVEVA

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

AVEVA Edge versions 2020 R2 SP1 and all prior versions contain multiple vulnerabilities (CWE-357, CWE-427, CWE-502, CWE-611) that could allow arbitrary code execution, information disclosure, or denial of service when a user opens a malicious project file. The vulnerabilities are exploitable only with local access and require user interaction to trigger. Successful exploitation could result in unauthorized modification of control system projects, access to sensitive configuration data, or system crashes that disrupt operations.

What this means

What could happen

An attacker with local access to a machine running AVEVA Edge could execute arbitrary code with the privileges of the logged-in user, potentially gaining control over the visualization and control system project files, altering setpoints, or disrupting operations.

Who's at risk

Water utilities and electric utilities that use AVEVA Edge (formerly InduSoft Web Studio) for SCADA visualization and project-based automation are affected. This includes any engineering workstations or HMI servers running AVEVA Edge 2020 R2 SP1 or earlier versions.

How it could be exploited

An attacker must trick a user into opening a malicious AVEVA Edge project file from an untrusted source. Once the file is opened by a user on a local machine, the attacker's code executes with that user's privileges, allowing modification of control logic, access to sensitive configuration data, or denial of service through system crashes.

Prerequisites

Local access to a machine with AVEVA Edge installed
User interaction required—victim must open a malicious project file
No special privileges or credentials required to trigger exploitation

Local access required (not remotely exploitable)User interaction required to open malicious fileLow complexity exploitationHigh EPSS score (14.8%)Affects system configuration and control logic

Exploitability

Some exploitation risk — EPSS score 4.8%

Affected products (1)

ProductAffected VersionsFix Status

AVEVA Edge: 2020 R2 SP1 and all prior versions≤ 2020 R2 SP1No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGApply Access Control Lists (ACLs) to all folders where AVEVA Edge project files are saved and loaded

HARDENINGEstablish and maintain a trusted chain-of-custody process for AVEVA Edge project files during creation, modification, distribution, and use

HARDENINGTrain engineering and operations staff to verify the source of AVEVA Edge project files before opening or executing them

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade AVEVA Edge 2020 R2 and earlier versions to AVEVA Edge 2020 R2 SP1, then apply security fix HF 2020.2.00.40

HOTFIXFor AVEVA Edge 2020 R2 SP1 systems, apply security fix HF 2020.2.00.40

CVEs (6)

CVE-2022-36970 CVE-2022-28686 CVE-2022-28687 CVE-2022-28688 CVE-2022-28685 CVE-2022-36969

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1143a18e-5e38-4d75-830e-84763271748b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.