Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-6543 — Missing Authentication for Critical Function in Indusoft WEB Studio

CWE-306 — Missing Authentication for Critical Function5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

32.5%

top 3.14%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Aveva Indusoft WEB Studio Aveva Intouch Machine Edition 2014

Timeline

PublishedFeb 13

Latest updateMay 13

Description

AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDaveva/intouch_machine_edition_2014r2

▶NVDaveva/indusoft_web_studio4 versions+3

🔴Vulnerability Details

GHSA

GHSA-pr9x-32vv-5c37: AVEVA Software, LLC InduSoft Web Studio prior to Version 8↗2022-05-13

▶

CVEList

CVE-2019-6543: AVEVA Software, LLC InduSoft Web Studio prior to Version 8↗2019-02-13

▶

💥Exploits & PoCs

Exploit-DB

Indusoft Web Studio 8.1 SP2 - Remote Code Execution↗2019-02-11

▶

🕵️Threat Intelligence

Tenable

Remote Code Execution in InduSoft Web Studio↗2019-02-06

▶