AVEVA Edge products, previously known as InduSoft Web Studio, confront a severe security vulnerability (CVE-2023-6132) with a CVSS v3 score of 7.3, indicating a substantial risk. This vulnerability stems from an uncontrolled search path element, allowing a malicious actor with file system access to execute arbitrary code and escalate privileges. A successful exploit could compromise the integrity, confidentiality, and availability of the affected systems. The affected products include AVEVA Edge versions up to 2020 R2 SP2.
Ting Chen of UESTC and ADLab of Venustech discovered and disclosed this vulnerability to AVEVA. The company strongly recommends users to upgrade to AVEVA Edge 2023 or AVEVA Edge 2020 R2 SP2 P01 promptly. Detailed information and upgrade downloads are available on the AVEVA official website, and users are advised to log in to access these resources.
CISA also emphasizes defensive measures, urging organizations to perform impact analysis and risk assessment before deploying defensive strategies. Additionally, CISA provides recommended practices for control system security, emphasizing the importance of proactive cybersecurity strategies. Mitigation guidance and further practices are accessible on the ICS webpage at cisa.gov/ics.
In response to the vulnerability, CISA recommends protective measures against social engineering attacks, including refraining from clicking on unsolicited email links or opening attachments. No known public exploitation targeting this vulnerability has been reported, and the issue is not exploitable remotely.
