AVEVA Edge

Plan PatchCVSS 8.4ICS-CERT ICSA-25-317-03Nov 13, 2025

AVEVA

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

AVEVA Edge versions 2023 R2 and earlier use weak password hashing algorithms (CWE-327) that allow local attackers to reverse engineer passwords through brute force attacks. A local attacker with user-level privileges could compromise project passwords and gain unauthorized access to control systems configuration and industrial processes. The vulnerability is fixed in AVEVA Edge 2023 R2 P01, which implements improved password hashing.

What this means

What could happen

An attacker with local access to a machine running AVEVA Edge could reverse engineer weak passwords through brute force attacks. This could lead to unauthorized access to the Edge configuration and control of associated industrial processes or data.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using AVEVA Edge for process monitoring and control should prioritize this update. AVEVA Edge is commonly used in SCADA systems, real-time data monitoring, and industrial process automation environments.

How it could be exploited

An attacker with local access to the machine hosting AVEVA Edge could use brute force techniques to reverse engineer passwords stored with weak hashing. Once passwords are compromised, the attacker gains the ability to modify projects, alter process setpoints, or exfiltrate sensitive configuration data.

Prerequisites

Local access to the machine running AVEVA Edge
User-level or higher privileges on the host system
Knowledge of default or weak passwords in use

Weak password hashing algorithm (CWE-327)Local exploitation required but with low privilege barrierAffects configuration and process control accessPassword hardening requires operational changes beyond patching

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Edge: <=2023_R2≤ 2023 R22023 R2 P01

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRequire all AVEVA Edge users to change their passwords immediately after patching

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AVEVA Edge to version 2023 R2 P01 or later

HOTFIXMigrate all project files from older versions to 2023 R2 P01 after applying the update (one-way migration due to password hashing algorithm changes)

HARDENINGEnable data protection at the project level using a strong master password

Long-term hardening

0/2

HARDENINGRemove any passwords embedded in project documents (scripts, worksheets) and replace with project tags

HARDENINGRestrict local access to machines running AVEVA Edge to authorized personnel only

CVEs (1)

CVE-2025-9317

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ea4ff0f1-e834-4200-8c6d-de25fd4f5572

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.