Opto 22 groov View

Plan Patch7.6ICS-CERT ICSA-25-329-04Nov 25, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A credential and key exposure vulnerability in Opto 22 groov View Server and GRV-EPIC controllers allows an authenticated attacker to extract stored credentials, API keys, and encryption keys. This could enable privilege escalation and compromise of other connected systems. The vulnerability affects groov View Server for Windows R1.0a through R4.5d and GRV-EPIC firmware versions prior to 4.0.3.

What this means

What could happen

An attacker with login credentials could expose stored credentials, API keys, and encryption keys in groov View Server and EPIC controllers, potentially gaining access to other systems and escalating privileges on industrial equipment.

Who's at risk

Water authorities and municipal utilities using Opto 22 groov View Server for Windows (versions R1.0a through R4.5d) and GRV-EPIC-PR1 and GRV-EPIC-PR2 controllers should upgrade immediately. These devices are commonly used for HMI (human-machine interface) and real-time process monitoring and control in SCADA systems.

How it could be exploited

An attacker must first obtain valid login credentials for groov View Server or an EPIC controller (e.g., through phishing, weak passwords, or credential compromise). Once authenticated, they can extract stored credentials and keys from the system's configuration or memory, then use those credentials to access other connected equipment or services.

Prerequisites

Valid username and password for groov View Server or GRV-EPIC device
Network access to the groov View Server port or EPIC device interface
Access to the configuration storage or memory where credentials are kept

Remote access possible with valid credentialsAffects process control and monitoring systemsCredential and key exposure can enable lateral movement to other OT systemsAuthentication required but weak password policies are common in industrial environments

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

groov View Server for Windows: >=R1.0a|<=R4.5d≥ R1.0a|≤ R4.5dR4.5e

GRV-EPIC-PR1 Firmware: <4.0.3<4.0.34.0.3

GRV-EPIC-PR2 Firmware: <4.0.3<4.0.34.0.3

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGDeploy a firewall to restrict network access to groov View Server and EPIC devices to authorized users and systems only

HARDENINGRequire multi-factor authentication or VPN for any remote access to groov View Server or EPIC controllers

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade groov View Server for Windows to Version R4.5e or later

HOTFIXUpgrade GRV-EPIC-PR1 and GRV-EPIC-PR2 firmware to Version 4.0.3 or later

HARDENINGEnforce strong password policies and periodically rotate credentials for all groov View and EPIC user accounts

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate groov View Server and EPIC controllers from business networks and the Internet

CVEs (1)

CVE-2025-13084

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e14fcd1e-7410-4cd9-bd1d-280744785b33