AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere

Act NowCVSS 9.8ICS-CERT ICSA-22-342-02Dec 8, 2022

AVEVAEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AVEVA InTouch Access Anywhere (version 2023 and earlier) and Plant SCADA Access Anywhere (version 2020 R2 and earlier) contain a critical vulnerability that allows unauthenticated network attackers to execute arbitrary code on affected servers. The vulnerability is caused by improper input validation in the web interface (CWE-23, CWE-120) and may enable cross-site scripting attacks (CWE-79). No vendor patches are currently available for either product. The vulnerability has a 92.2% exploit probability (EPSS) and has been observed in targeted attacks.

What this means

What could happen

An attacker with network access to InTouch or Plant SCADA Access Anywhere could execute arbitrary code on the server, gaining complete control over SCADA operations and process data. This could allow manipulation of setpoints, halting of critical processes, or theft of operational information.

Who's at risk

Energy utilities, water authorities, and manufacturing facilities using AVEVA InTouch Access Anywhere or Plant SCADA Access Anywhere for remote SCADA access and monitoring. This is critical for any organization that has deployed these products for operator access or engineering workstation connectivity to control systems.

How it could be exploited

An attacker on the network sends a specially crafted request to the vulnerable web interface of the Access Anywhere server. The server processes the request without proper input validation, allowing the attacker to inject code or commands that execute with the privileges of the service, typically leading to remote code execution on the SCADA system.

Prerequisites

Network access to the InTouch or Plant SCADA Access Anywhere web service (typically port 443 or similar HTTPS port)
No valid credentials required
The vulnerable product must be Internet-facing or accessible from an attacker's network position

remotely exploitableno authentication requiredlow complexity attackhigh EPSS score (92.2%)no patch availableaffects control system operationsactively used for critical infrastructure access

Exploitability

Likely to be exploited — EPSS score 92.2%

Public Proof-of-Concept (PoC) on GitHub (3 repositories)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

InTouch Access Anywhere -≤ 2023No fix (EOL)

Plant SCADA Access Anywhere -≤ 2020 R2No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict network access to InTouch and Plant SCADA Access Anywhere to trusted engineering workstations and control system networks only using firewall rules

WORKAROUNDRemove or disable public Internet accessibility to InTouch and Plant SCADA Access Anywhere servers immediately

HARDENINGMonitor for signs of exploitation: unusual HTTP requests to the Access Anywhere service, unexpected code execution, or unauthorized access attempts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access is required, deploy a secure VPN with the latest security patches and restrict access through VPN to authorized personnel only

HARDENINGSegment the SCADA Access Anywhere server behind a firewall, isolated from business network and Internet

CVEs (3)

CVE-2022-23854 CVE-2021-3711 CVE-2020-11022

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46c0aa6f-e48a-4096-9fc5-60cc7cf4c0fc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.