CVE-2025-4417
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N
Summary
A cross-site scripting vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by other users who visit affected pages.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AVEVA | PI Connector for CygNet | 0 <= 1.6.14 | affected |
Weaknesses
- CWE-79: CWE-79
Workarounds
AVEVA further recommends users follow general defensive measures:
Ensure that PI Connector for CygNet administrative access is only provided to trusted entities.
Audit custom installation folder Access Control Lists (ACLs) to ensure access is only provided to trusted entities.
Audit and limit membership to the OS Local "Administrators" and "PI Connector Administrators" groups.
For additional information please refer to AVEVA-2025-002 https://www.aveva.com/en/support-and-success/cyber-security-updates/
.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-09
- https://www.aveva.com/en/support-and-success/cyber-security-updates/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.