PT-2022-5603 · Aveva · Aveva Edge

Published

2022-11-22

Updated

2024-10-07

CVE-2021-42796

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior

Description An issue was discovered in the ExecuteCommand() function that allows unauthenticated arbitrary commands to be executed. This is related to errors in access control management in the stadosvr.exe executable file of the AVEVA Edge SCADA system. Exploitation of this issue may allow a remote attacker to execute arbitrary code.

Recommendations For versions R2020 and prior, consider disabling the ExecuteCommand() function as a temporary workaround until a patch is available. Restrict access to the stadosvr.exe executable file to minimize the risk of exploitation.

Fix

Improper Access Control

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-78

Related Identifiers

BDU:2022-06966

CVE-2021-42796

Affected Products

Aveva Edge

PT-2022-5603 · Aveva · Aveva Edge

CVE-2021-42796

Weakness Enumeration

Related Identifiers

Affected Products

References · 8