AVEVA Edge

Act Now9.8ICS-CERT ICSA-22-326-01Nov 22, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AVEVA Edge 2020 R2 SP1 and all prior versions contain multiple vulnerabilities (CWE-427, CWE-200, CWE-284, CWE-40) that allow an attacker to insert and execute malicious DLL files. The application does not properly validate code before execution, and multiple code-loading paths lack sufficient access controls. An unauthenticated attacker with network access can exploit these weaknesses to achieve remote code execution.

What this means

What could happen

An attacker could insert malicious DLL files into AVEVA Edge and trick the application into executing arbitrary code, potentially allowing remote control of the HMI/SCADA visualization system and underlying processes.

Who's at risk

Water utilities, electrical utilities, and other operators running AVEVA Edge (formerly InduSoft Web Studio) 2020 R2 SP1 or earlier for HMI/SCADA visualization and control. This affects any organization using this software to monitor and manage industrial processes, from small manufacturing sites to municipal infrastructure.

How it could be exploited

An attacker with network access to port TCP/3997 (or other exposed AVEVA Edge services) could deliver a malicious DLL file that the application loads and executes. The application fails to properly validate or authenticate code before execution, allowing the attacker to run arbitrary commands with the privileges of the Edge service.

Prerequisites

Network access to AVEVA Edge instance (typically port TCP/3997)
Ability to place or influence a malicious DLL file in a location where AVEVA Edge will load it
No authentication required to trigger the vulnerability

remotely exploitableno authentication requiredlow complexityno patch available for most versionshigh CVSS score (9.8)critical severity

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

2 with fix1 pending

ProductAffected VersionsFix Status

Edge - AVEVA Edge 2020 R2 and all prior≤ R2 (formerly known as InduSoft Web Studio)No fix yet

Edge - AVEVA Edge 2020 R2 SP1R2 SP12020 R2 SP2

Edge - AVEVA Edge 2020 R2 SP1 w/ HF 2020.2.00.40R2 SP1 w/ HF 2020.2.00.402020 R2 SP2

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to AVEVA Edge port TCP/3997 using firewall rules; allow only trusted engineering workstations and remote access solutions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to AVEVA Edge 2020 R2 SP2 or later

Long-term hardening

0/2

HARDENINGIsolate AVEVA Edge systems from the business network and ensure they are not directly reachable from the Internet

HARDENINGUse a VPN or secure remote access method if remote engineering access is required; keep the VPN infrastructure current with security patches

CVEs (4)

CVE-2016-2542 CVE-2021-42794 CVE-2021-42796 CVE-2021-42797

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/42469d7b-0530-4140-8295-9bd5043720cd