CISA issues alert on AVEVA Application Server IDE vulnerability

AVEVA's Application Server Immutable Deployment Environment (IDE) contains a vulnerability that permits injection of malicious scripts, posing risks related to script-based attacks.

The issue affects Application Server versions up to 2023 R2 SP1 P02. This weakness allows an authenticated user with the “aaConfigTools” privilege to modify application objects' help files during configuration within the IDE component, enabling persistent script injection that can escalate privileges horizontally or vertically. The vulnerability is identified as CVE-2025-8386 and is scored 6.9 under Common Vulnerability Scoring System (CVSS) v3.1, with a vector indicating low attack complexity and required privileges. Under CVSS v4, the base score is 7.2 with specified vector metrics. Runtime components remain unaffected.

Exploitation of this vulnerability could lead to unauthorized alteration of help files and execution of injected scripts, resulting in escalation of user privileges.

Updates that address this vulnerability are available in AVEVA System Platform version 2023 R2 SP1 P03 and subsequent releases. Users are advised to install these updates to remediate the issue.

AVEVA recommends that organizations assess the vulnerability in the context of their operational environment and apply security updates accordingly. Organizations should audit permissions to restrict membership in the “aaConfigTools” Operating System (OS) group to trusted users. Further security guidance includes minimizing network exposure of control systems, isolating such systems behind firewalls separate from business networks, and employing secure remote access methods such as updated Virtual Private Networks. Organizations are encouraged to conduct impact analyses and risk assessments before implementing defenses and to adhere to recommended cybersecurity practices and mitigation strategies published by appropriate authorities.