OTPulse
FeedAboutContact

AVEVA Edge

Plan Patch8.4ICS-CERT ICSA-25-317-03Nov 13, 2025
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

AVEVA Edge contains a weak password hashing vulnerability (CWE-327) that allows a local attacker to reverse engineer passwords through brute-force attack against the password hash. The vulnerability affects all Edge versions through 2023_R2. The application uses inadequate cryptographic algorithms to protect user credentials, making offline brute-force attacks computationally feasible. A successful attack would allow an attacker with local system access to recover plaintext passwords and gain unauthorized access to protected project files, control logic, and configuration settings.

What this means
What could happen
An attacker with local access to an AVEVA Edge system could brute-force the password hash and gain unauthorized access to project files and control logic, potentially allowing them to modify setpoints, disable alarms, or alter industrial processes.
Who's at risk
AVEVA Edge operators and administrators responsible for visualization and data acquisition systems in water treatment, power distribution, manufacturing, and other utility environments. Affects anyone using Edge 2023_R2 or older versions where automation scripts, process configurations, or engineering workstations contain password-protected project files.
How it could be exploited
An attacker with local access to the AVEVA Edge machine extracts password hashes from the application's configuration files and performs offline brute-force attacks to recover plaintext passwords. The weak hashing algorithm (CWE-327) makes this feasible without requiring network connectivity once the hashes are obtained.
Prerequisites
  • Local access to the machine running AVEVA Edge
  • Access to project files or configuration storage where password hashes are stored
  • AVEVA Edge version 2023_R2 or older
Weak cryptographic hashing (CWE-327)Local access required but feasible if engineering workstation is compromisedOffline brute-force feasibleAffects multiple critical infrastructure sectorsOne-way migration path limits rollback options
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
Edge: <=2023_R2≤ 2023 R22023 R2 P01
Remediation & Mitigation
0/5
Do now
0/2
HOTFIXApply AVEVA Edge 2023 R2 P01 Security Update immediately
HARDENINGRequire all AVEVA Edge users to change their passwords after applying the security update
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGConfigure project-level data protection with a strong master password
HOTFIXMigrate project files from older versions to 2023 R2 P01 to benefit from improved password hashing
Long-term hardening
0/1
HARDENINGRemove embedded passwords from scripts and worksheets; use project tags instead
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ea4ff0f1-e834-4200-8c6d-de25fd4f5572
AVEVA Edge | CVSS 8.4 - OTPulse