Arbitrary Code Execution Vulnerability in AVEVA Edge by AVEVA
CVE-2022-28688

7.8HIGH

Key Information:

Vendor: Aveva
Status: Edge
Vendor: CVE Published:; 29 March 2023

What is CVE-2022-28688?

This vulnerability affects AVEVA Edge, enabling remote attackers to execute arbitrary code on compromised systems. It arises from improper handling of APP files, which allows an attacker to load libraries from unsecured locations. User interaction is necessary, as the targeted user must visit a malicious site or open a compromised file. Exploit tactics can lead to significant security risks due to the capability of executing code within the context of the current process.

Affected Version(s)

Edge 2020 SP2 Patch 0(4201.2111.1802.0000)

References

https://www.aveva.com/content/dam/aveva/documents/support...

https://www.zerodayinitiative.com/advisories/ZDI-22-1127/

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 29, 2023
Vulnerability Reserved
Apr 5, 2022

Credit

Daan Keuper & Thijs Alkemade from Computest

Aveva

What is CVE-2022-28688?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline

Credit