CVE-2021-42796

Vulnerability

In AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior, the ExecuteCommand() function contains an improper access control vulnerability (CWE-284) that allows unauthenticated arbitrary command execution [2]. The affected versions include AVEVA Edge 2020 R2 SP1, 2020 R2 SP1 with Hotfix 2020.2.00.40, and all prior versions [2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted request to the StADOSvr.exe process [2]. No user interaction or special privileges are required; the attack complexity is low [2].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with the security context of the StADOSvr.exe process, which typically runs as a standard-privileged user account [2]. This can lead to full compromise of the affected system, including data exfiltration, installation of malware, or further lateral movement within the network.

Mitigation

AVEVA recommends users update to the latest version of AVEVA Edge [2]. As of the advisory publication (November 2022), no specific fixed version is listed; however, users should apply any available updates from AVEVA. Restricting network access to the affected service and monitoring for suspicious activity can serve as interim workarounds [2].