← Back to home
ICSA-25-317-02  ·  Published 2025-11-13  ·  View on CISA ICS-CERT ↗

AVEVA Application Server IDE

CVSS 6.9 MEDIUM

Risk Summary

Successful exploitation of this vulnerability could allow an attacker to tamper with help files and inject cross-site scripting (XSS) code.

CVEs (1)

Remediations

  • AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users using affected product versions should apply security updates to mitigate the risk of exploit.
  • All affected versions of the Application Server IDE can be fixed by upgrading to AVEVA System Platform 2023 R2 SP1 P03 or higher.
  • The following general defensive measures are recommended:
  • Audit assigned permissions to ensure that only trusted users are added to the "aaConfigTools" OS Group. For additional information on Application Server OS Security groups and accounts, see https://docs.aveva.com/bundle/sp-install/page/738031.html
  • For more information, see AVEVA's Security Bulletin AVEVA-2025-005 or AVEVA's bulletins page.

Affected Vendors

AVEVA

Affected Products (1)

AVEVA · Application Server <=2023_R2_SP1_P02

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more