AVEVA InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition)

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an unauthenticated user to remotely execute code.

CVE-2018-17916 CVE-2018-17914

AVEVA recommends that users upgrade to InduSoft Web Studio v8.1 SP2 and InTouch Edge HMI (formerly InTouch Machine Edition) 2017 SP2 as soon as possible. Software updates can be downloaded from the Global Customer Support “Software Download” area
InduSoft Web Studio prior to v8.1 SP2
InTouch Edge HMI (formerly InTouch Machine Edition) prior to 2017 SP2 (login required)
AVEVA recommends that users update existing projects to enable the security features of InduSoft Web Studio and InTouch Edge HMI
Enable the new encrypted channel for communication and disable the unencrypted channel.
Set a strong Master Project password.
Set a strong password for the built-in account. By default, the built-in account is named Guest.
Set strong passwords for all other non-built-in accounts.
AVEVA has published Security Bulletin LFSEC00000130 on their website

AVEVA Software, LLC

AVEVA Software, LLC · InduSoft Web Studio <8.1 SP2

AVEVA Software, LLC · InTouch Edge HMI (formerly InTouch Machine Edition) <2017 SP2

Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.