Parsons AccuWeather widget
Plan Patch8.8ICS-CERT ICSA-25-175-06Jun 24, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A cross-site scripting (XSS) vulnerability in the AccuWeather widget used by Parsons Utility Enterprise Data Management and Aclara's AclaraONE Utility Portal allows an attacker to inject malicious links into the RSS feed displayed within the application. Users who view the widget and click a malicious link could be compromised. Parsons and Aclara have patched their hosted instances, but on-premise AclaraONE deployments require manual patching by end users.
What this means
What could happen
An attacker could inject a malicious link into an RSS feed widget that utility operators view. When clicked, this could lead to credential theft, malware installation, or unauthorized control of data management systems used to monitor and manage electrical distribution or water supply operations.
Who's at risk
Electric utilities, water authorities, and other organizations using Parsons Utility Enterprise Data Management (versions 3.30, 4.02–4.26, 5.03, 5.18) or Aclara's AclaraONE Utility Portal (versions prior to 1.22) for operational dashboards and data management. Specifically, utility operators and system administrators who interact with these portals through a web browser.
How it could be exploited
An attacker crafts a malicious RSS feed entry with a specially crafted link and injects it into the AccuWeather widget. When a utility operator or administrator views the widget in the Utility Enterprise Data Management or AclaraONE portal and clicks the link, the malicious script executes in their browser session, potentially capturing credentials or planting malware on their workstation.
Prerequisites
- User must view the RSS feed widget in the affected application
- User must click on an attacker-controlled link in the widget
- Access to the affected Utility Enterprise Data Management or AclaraONE portal
Remotely exploitableLow complexity attackUser interaction required (click)Affects administrative/data management systems for critical infrastructureMultiple affected products with no immediate patch available for on-premise installations
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (5)
1 with fix4 pending
ProductAffected VersionsFix Status
Utility Enterprise Data Management: 5.185.18No fix yet
Utility Enterprise Data Management: 5.035.03No fix yet
Utility Enterprise Data Management: >=4.02|<=4.26≥ 4.02|≤ 4.26No fix yet
Utility Enterprise Data Management: 3.303.30No fix yet
AclaraONE Utility Portal: <1.22<1.221.22
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDDisable or remove the AccuWeather widget from affected portals until patches are applied, if feasible.
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXFor Parsons Utility Enterprise Data Management users: No action required; Parsons has patched all managed instances as of January 7, 2025.
HOTFIXFor AclaraONE Hosted users: No action required; Aclara has patched all managed instances as of February 7, 2025.
HOTFIXFor AclaraONE On Premise users: Contact Aclara Support via the AclaraONE Connect Customer Portal, phone, or email to request a patch update appointment. Requests are processed in order received.
Long-term hardening
0/2HARDENINGPlace all control system networks and administrative portals behind firewalls and isolate them from business networks or the internet.
HARDENINGRestrict remote access to utility management portals to secure VPN connections only, and ensure VPNs are updated to the latest version.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0e925447-057f-4557-81d6-5ac964742ed3