AVEVA Edge products (formerly known as InduSoft Web Studio)

Plan PatchCVSS 7.3ICS-CERT ICSA-24-032-03Feb 1, 2024

AVEVA

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

AVEVA Edge versions 2020 R2 SP2 and earlier contain an unsafe DLL loading vulnerability (CWE-427) that allows an attacker with local access to achieve arbitrary code execution and privilege escalation by tricking the application into loading a malicious DLL. The attacker must have local access to the system and user interaction is required to trigger the vulnerability. AVEVA recommends upgrading to AVEVA Edge 2023 or applying patch AVEVA Edge 2020 R2 SP2 P01. No public exploitation of this vulnerability has been reported.

What this means

What could happen

An attacker with local access to an AVEVA Edge workstation could execute arbitrary code with the privileges of the logged-in user, potentially gaining full control of the engineering environment and ability to modify industrial process configurations.

Who's at risk

Organizations running AVEVA Edge engineering workstations (formerly InduSoft Web Studio) on Windows systems used for HMI development, monitoring, and control of water treatment plants, power systems, and other industrial processes. This affects engineering staff and any user with local access to these workstations.

How it could be exploited

An attacker must have local access to the AVEVA Edge system and trick the application into loading a malicious DLL from an attacker-controlled location (such as via social engineering to open a file or navigate to a directory). When AVEVA Edge loads the unsafe DLL, the attacker's code runs with the user's privileges.

Prerequisites

Local access to the AVEVA Edge workstation
Valid user account logged into AVEVA Edge
User interaction required (tricking the user to load a file or navigate to attacker-controlled directory)
Vulnerable version running (AVEVA Edge 2020 R2 SP2 or earlier)

Local access only (not remotely exploitable)User interaction requiredLow complexity exploitationAffects engineering workstations that control critical infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

AVEVA Edge: <=2020_R2_SP2≤ 2020 R2 SP22023 or AVEVA Edge 2020 R2 SP2 P01

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade AVEVA Edge to version 2023 or apply patch AVEVA Edge 2020 R2 SP2 P01

WORKAROUNDImplement application whitelisting on AVEVA Edge workstations to prevent unauthorized DLL execution

Long-term hardening

0/2

HARDENINGRestrict local access to AVEVA Edge workstations and limit user accounts to engineering staff only

HARDENINGTrain users not to open files or navigate to directories from untrusted sources when working with AVEVA Edge

CVEs (1)

CVE-2023-6132

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fb039e8d-77f2-45d8-a15f-062469c4f8df

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.