AVEVA Application Server IDE

Monitor6.9ICS-CERT ICSA-25-317-02Nov 13, 2025

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

AVEVA Application Server IDE versions 2023 R2 SP1 P02 and earlier contain a cross-site scripting (XSS) vulnerability in help file handling (CWE-80). An attacker with high privileges (membership in the aaConfigTools OS Group) and local system access can inject malicious scripts into help documentation. When users open the affected help files, the injected code executes in their browser context, potentially enabling credential theft or further system compromise. No remote exploitation is possible; this requires local privileged access and user interaction.

What this means

What could happen

An attacker with high privileges and local system access could inject malicious code into help files, potentially executing scripts in the context of users who view those files. This could be leveraged for credential theft or lateral movement within the engineering network.

Who's at risk

This affects organizations using AVEVA Application Server IDE for configuration and maintenance of industrial automation systems, including water utilities and electric utilities that rely on AVEVA System Platform for SCADA/process control. The risk is highest for facilities where engineering staff have interactive access to the help system on machines where administrators or configuration tool users could inject malicious content.

How it could be exploited

An attacker must first gain high-privilege (administrator or member of aaConfigTools OS Group) access to the Application Server host, then inject XSS code into help files. When legitimate users open the help documentation, the malicious script executes in their browser context, potentially stealing credentials or launching further attacks.

Prerequisites

High-privilege local access to the Application Server host (membership in aaConfigTools OS Group or equivalent administrator role)
User interaction: a legitimate user must open or view the tampered help files
Application Server IDE version 2023 R2 SP1 P02 or earlier must be running

Requires high-privilege local access (reduces immediate risk)Requires user interaction (help file must be opened)Low complexity attack once access is gainedNo patch available for some older installations (end-of-life versions)Affects engineering/IT workstations (not directly safety-critical, but can enable lateral movement)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Application Server: <=2023_R2_SP1_P02≤ 2023 R2 SP1 P022023 R2 SP1 P03 or higher

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGAudit and restrict OS Group membership for 'aaConfigTools' to only trusted engineering staff who require IDE access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade AVEVA Application Server to version 2023 R2 SP1 P03 or higher

Long-term hardening

0/2

HARDENINGIsolate the engineering network running Application Server IDE from the business network and internet using network segmentation and firewalls

HARDENINGIf remote access to engineering workstations is required, implement VPN with strong authentication and keep VPN software current

CVEs (1)

CVE-2025-8386

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a7ca80a-12cb-4653-af22-6350518fe2af