Opto 22 groov View

Plan PatchCVSS 7.6ICS-CERT ICSA-25-329-04Nov 25, 2025

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Opto 22 groov View Server for Windows (versions R1.0a through R4.5d) and GRV-EPIC Firmware (versions prior to 4.0.3) contain an insecure credential storage vulnerability (CWE-1230). An authenticated user can extract plaintext or weakly protected credentials and encryption keys from the device, leading to credential exposure, key exposure, and privilege escalation to higher-level system access. Opto 22 has released patches: groov View Server R4.5e and GRV-EPIC Firmware 4.0.3.

What this means

What could happen

An authenticated attacker could extract credentials and encryption keys from groov View Server or GRV-EPIC devices, then escalate privileges to gain control over process monitoring and configuration functions in your SCADA or HMI infrastructure.

Who's at risk

Water utilities, municipal electric utilities, and other critical infrastructure operators using Opto 22 groov View Server for Windows or GRV-EPIC (PR1/PR2) controller firmware for SCADA monitoring, HMI, or process control should assess exposure. Affects devices used for real-time system visibility and control in treatment plants, distribution networks, and generation facilities.

How it could be exploited

An attacker with valid credentials to groov View (engineering account or operator role) accesses the device via the network and exploits an insecure credential storage vulnerability to read stored passwords or encryption keys from memory or configuration files. These credentials can then be used to escalate privileges or pivot to other control systems.

Prerequisites

Valid login credentials to groov View Server or GRV-EPIC (engineering workstation account or operator account)
Network connectivity to the groov View Server or GRV-EPIC device (typically on OT network, may be accessible from engineering workstations)

Requires valid credentials (low barrier if operators reuse passwords or share accounts)High privilege escalation potential (attacker moves from operator to admin level)Credentials and keys are persistently exposed in device memory or files (not a transient vulnerability)Affects SCADA/HMI infrastructure central to operations visibility and control

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

groov View Server for Windows: >=R1.0a|<=R4.5d≥ R1.0a|≤ R4.5dR4.5e

GRV-EPIC-PR1 Firmware: <4.0.3<4.0.34.0.3

GRV-EPIC-PR2 Firmware: <4.0.3<4.0.34.0.3

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to groov View and GRV-EPIC devices to authorized engineering workstations and operator terminals only; use firewall rules to block access from untrusted networks

HARDENINGIsolate groov View Server and GRV-EPIC devices from the business network behind a firewall; do not expose them directly to the Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate groov View Server for Windows to Version R4.5e or later

HOTFIXUpdate GRV-EPIC Firmware (GRV-EPIC-PR1 and GRV-EPIC-PR2) to Version 4.0.3 or later

Long-term hardening

0/1

HARDENINGEnforce strong, unique credentials for all engineering and operator accounts on groov View and GRV-EPIC; rotate passwords after patching

CVEs (1)

CVE-2025-13084

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e14fcd1e-7410-4cd9-bd1d-280744785b33

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.