OTPulse

Parsons AccuWeather widget

Plan PatchCVSS 8.8ICS-CERT ICSA-25-175-06Jun 24, 2025
Energy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A cross-site scripting (CWE-79) vulnerability in the AccuWeather widget RSS feed of Parsons Utility Enterprise Data Management and Aclara AclaraONE allows an attacker to inject malicious links into the feed. When utility operators or administrators view the weather widget, they may click the malicious link, potentially leading to phishing or malware infection. Parsons has patched all managed instances as of January 7, 2025. AclaraONE Hosted instances were patched by Aclara as of February 7, 2025. AclaraONE On-Premise users must apply patch version 1.22 or later. Utility Enterprise Data Management on-premise or customer-managed instances remain unpatched.

What this means
What could happen
An attacker could inject malicious links into an RSS weather feed within a utility management interface, potentially tricking operators or administrators into clicking links that could lead to credential theft or malware infection on systems with access to operational technology networks.
Who's at risk
This vulnerability affects energy utilities using Parsons Utility Enterprise Data Management (versions 3.30, 4.02–4.26, 5.03, and 5.18) and Aclara's AclaraONE Utility Portal (versions prior to 1.22). These systems are used by operators and administrators to monitor and manage utility operations; compromise could lead to credential theft or malware on systems with network access to operational control systems.
How it could be exploited
An attacker injects a malicious link into the AccuWeather RSS feed source. When a utility operator views the weather widget RSS feed in Utility Enterprise Data Management or AclaraONE, they see the crafted link and click it, potentially leading to a phishing page or malware payload. The attacker relies on user interaction (clicking the link) rather than automatic compromise.
Prerequisites
  • User must view and interact with the RSS feed in the weather widget
  • Attacker must be able to influence or intercept the RSS feed source to inject a malicious link
  • The affected product version must be deployed in the environment
Requires user interaction (link click)Affects web-based utility management interfacesStored in RSS feed accessible to multiple usersCredentials or access from compromised operator workstations could enable lateral movement into OT networksUtility Enterprise Data Management versions have no patch available from vendor
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (5)
1 with fix4 pending
ProductAffected VersionsFix Status
Utility Enterprise Data Management: 5.185.18No fix yet
Utility Enterprise Data Management: 5.035.03No fix yet
Utility Enterprise Data Management: >=4.02|<=4.26≥ 4.02|≤ 4.26No fix yet
Utility Enterprise Data Management: 3.303.30No fix yet
AclaraONE Utility Portal: <1.22<1.221.22
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDDisable or remove the AccuWeather widget RSS feed from user-accessible interfaces if it cannot be patched immediately
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXFor AclaraONE On-Premise deployments, update to version 1.22 or later
HOTFIXFor Utility Enterprise Data Management (all versions), coordinate with Parsons support to apply the patch that was deployed to Parsons-managed instances as of January 7, 2025, or confirm your instance is managed by Parsons
Long-term hardening
0/1
HARDENINGRestrict network access to utility management system interfaces to authorized operator workstations only; do not expose them to the internet
View full CISA ICS-CERT advisory
API: /api/v1/advisories/0e925447-057f-4557-81d6-5ac964742ed3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.