CVE-2025-9317

Summary

The vulnerability, if exploited, could allow a miscreant with read access to Edge Project files or Edge Offline Cache files to reverse engineer Edge users' app-native or Active Directory passwords through computational brute-forcing of weak hashes.

Affected Software

VendorProductVersion RangeStatus
AVEVAEdge0 <= Versions 2023 R2affected

Weaknesses

  • CWE-327: CWE-327

Workarounds

The following general defensive measures are recommended:

  • Access Control Lists should be applied to all folders where users will save and load project files.

  • Maintain a trusted chain-of-custody on project files during creation, modification, distribution, and use.

  • Apply data-protection at the project level with a strong master password. For configuration step-by-step refer to AVEVA Edge "Technical Reference Manual" > Project Overview > Configuring Additional Project Settings > Options Tab > Data Protection.

  • If passwords are being used as function parameters inside project documents (such as scripts or worksheets), it is recommended to remove those passwords and use project tags instead. For more information on tags refer to AVEVA Edge "Technical Reference Manual" > Tags and the Tag Database > About Tags and the Project Database.

For information on how to reach AVEVA support for your product, please refer to this link: AVEVA Customer Support https://www.aveva.com/en/support/support-contact/  .

For more information, see AVEVA's Security Bulletin AVEVA-2025-006 https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2025-006.pdf  or AVEVA's bulletins page https://www.aveva.com/en/support-and-success/cyber-security-updates/ .

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References