ICSA-22-249-02 · Published 2022-09-06 · View on CISA ICS-CERT ↗

AVEVA Edge 2020 R2 SP1 and all prior versions

CVSS 7.8 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could result in arbitrary code execution, information disclosure, or denial of service.

CVE-2022-36970 CVE-2022-28686 CVE-2022-28687 CVE-2022-28688 CVE-2022-28685 CVE-2022-36969

AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
For AVEVA Edge 2020 R2 SP1, users should apply security fix HF 2020.2.00.40 (login required).
For AVEVA Edge 2020 R2 and all prior versions (formerly known as InduSoft Web Studio), users should first upgrade to AVEVA Edge 2020 R2 SP1 (login required) and then apply security fix HF 2020.2.00.40
Access Control Lists (ACLs) should be applied to all folders in which users save and load project files.
Maintain a trusted chain-of-custody on project files during creation, modification, distribution, and use.
Train users to always verify the source of a project before opening or executing it.
For additional details, users can refer to the supplied help file in HF 2020.2.00.40 (login required).
For more information on this vulnerability, including security updates, users should see security bulletin AVEVA-2022-005

AVEVA Software, LLC

AVEVA Software, LLC · AVEVA Edge <= 2020 R2 SP1

Critical Manufacturing

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.