Arbitrary Code Execution Vulnerability in AVEVA Edge by AVEVA
CVE-2022-28685

7.8HIGH

Key Information:

Vendor

Aveva

Status
Edge
Vendor
CVE Published:
29 March 2023

What is CVE-2022-28685?

The vulnerability allows remote attackers to execute arbitrary code on affected installations of AVEVA Edge by exploiting improper validation of user-supplied data during the parsing of APP files. User interaction is necessary, as the target must either visit a malicious page or open a malicious file. If successfully exploited, this can lead to deserialization of untrusted data, enabling attackers to execute code within the context of the affected process.

Affected Version(s)

Edge 2020 SP2 Patch 0(4201.2111.1802.0000)

References

https://www.zerodayinitiative.com/advisories/ZDI-22-1124/
https://www.aveva.com/content/dam/aveva/documents/support...

EPSS Score

15% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chris Anastasio (muffin) and Steven Seeley (mr_me) of Incite Team
.