An issue was discovered in ExecuteCommand() in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior that allows unauthenticated arbitrary commands to be executed.
The command injection vulnerability is located in the ExecuteCommand() function of AVEVA Edge software. An attacker can remotely, without needing any credentials, submit properly crafted input data that is passed to this function without proper validation or sanitization. As a result, malicious commands are executed directly in the context of the operating system on which the application runs.
An attacker can gain full control over the target system — read or modify data, install malicious software, and cause service unavailability. In industrial environments (ICS/SCADA), the effects may include disruption of operational processes.
Apply patches available from the manufacturer according to references (CISA ICS-CERT advisory: ICSA-22-326-01 and AVEVA manufacturer information). It is recommended to immediately update to a version newer than R2020 and restrict network access to AVEVA Edge systems according to the principle of least privilege.
AVEVA Edge (formerly InduSoft Web Studio) in versions R2020 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAveva Edge
APPAveva2020< 2020
Related vulnerabilities
InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) version...
InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) version...
Path traversal vulnerability in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior allows an u...
This privilege escalation vulnerability, if exploited, cloud allow a local OS-authenticated user with standar...
An issue was discovered in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior. The application...