Skip to main content

CISA issues alert on AVEVA Edge cryptographic vulnerability allowing local password brute forcing

November 27, 2025

AVEVA Edge, a HMI/SCADA software, contains a vulnerability involving the use of a weak cryptographic algorithm, which can expose user passwords to brute-force extraction by local attackers. This security issue affects AVEVA Edge versions 2023 R2 and earlier, potentially compromising authentication credentials stored within project and offline cache files.

The vulnerability is identified as CVE-2025-9317 and pertains to the use of broken or risky cryptographic algorithms as defined by CWE-327. Exploitation requires read access to Edge Project and Offline Cache files, enabling attackers to computationally brute force app-native or Active Directory passwords protected by weak hashes. The Common Vulnerability Scoring System (CVSS) has assigned this flaw a base score of 8.4 under version 3.1, with vector Antivirus Software (AV):L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, and a base score of 8.3 under version 4.0, with vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N.

The vulnerability could allow attackers to reverse engineer user passwords from the extracted cryptographic material, posing a risk to credential confidentiality. This risk arises specifically when unauthorized parties gain local read access to the specified files.

To address this issue, AVEVA released an update labeled 2023 R2 P01, which introduces a revised password hashing algorithm and requires migration of project files to this new format. The migration process is unidirectional, preventing rollback to previous versions. AVEVA advises organizations to evaluate the applicability of the update in their environments, migrate project files where possible, restrict read permissions on unupgraded files, and mandate password changes for users. No remediation for older project file backups or transient copies is provided beyond access control enforcement.

CISA suggests minimizing exposure of control system devices by restricting network access, isolating these systems behind firewalls, and employing secure remote access methods like virtual private networks, while acknowledging potential Virtual Private Network (VPN) vulnerabilities. Defensive measures should be based on thorough risk assessments. Additional recommendations include enforcing strict access control lists on project file directories, maintaining chain-of-custody for files, applying data protection with strong master passwords, and avoiding embedding passwords directly in project scripts by using project tags instead. Organizations are encouraged to monitor for and report suspicious activity according to established procedures.