OTPulse

AVEVA Application Server IDE

MonitorCVSS 6.9ICS-CERT ICSA-25-317-02Nov 13, 2025
AVEVA
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary

AVEVA Application Server IDE versions up to 2023 R2 SP1 P02 contain a cross-site scripting (XSS) vulnerability that allows a high-privilege local attacker to inject malicious code into help files. When users access the compromised help documentation, the injected code executes in their context, potentially enabling unauthorized actions or credential theft. The vulnerability requires high privilege access and local system interaction from the targeted user, limiting but not eliminating the risk in environments where engineering workstations are not properly secured.

What this means
What could happen
An attacker with high privileges and local access could inject malicious code into help files, allowing them to execute commands in the context of users who view those files. This could lead to unauthorized actions within the Application Server environment.
Who's at risk
Organizations using AVEVA Application Server for industrial control systems configuration and management, particularly those in manufacturing, utility, and process industries where AVEVA SCADA/HMI platforms are deployed.
How it could be exploited
An attacker with high-level privileges and local access to the Application Server IDE system could modify help files to inject cross-site scripting (XSS) code. When a user opens the help documentation, the malicious code executes in their browser context, potentially allowing the attacker to steal credentials or perform actions on behalf of that user.
Prerequisites
  • High privilege user account (administrator or equivalent)
  • Local access to the Application Server IDE system
  • Ability to modify help files on the server
  • User interaction required (victim must open affected help files)
Requires high privilege levelRequires local system accessUser interaction requiredAffects configuration and engineering tools
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
Application Server: <=2023_R2_SP1_P02≤ 2023 R2 SP1 P022023 R2 SP1 P03 or higher
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGAudit and restrict membership of the 'aaConfigTools' OS group to only trusted administrators
HARDENINGRestrict local access to Application Server IDE systems to only authorized personnel
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AVEVA Application Server to version 2023 R2 SP1 P03 or higher
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate Application Server systems from business networks and restrict internet accessibility
View full CISA ICS-CERT advisory
API: /api/v1/advisories/5a7ca80a-12cb-4653-af22-6350518fe2af

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.