CVE-2025-9317 PUBLISHED

AVEVA Edge Use of a Broken or Risky Cryptographic Algorithm

Assigner: icscert
Reserved: 21.08.2025 Published: 14.11.2025 Updated: 17.11.2025

The vulnerability, if exploited, could allow a miscreant with read access to Edge Project files or Edge Offline Cache files to reverse engineer Edge users' app-native or Active Directory passwords through computational brute-forcing of weak hashes.

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 8.4

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
CVSS Score: 8.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	None	Integrity	High
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	AVEVA
Product	Edge
Versions	Default: unaffected affected from 0 to Versions 2023 R2 (incl.)

Workarounds

The following general defensive measures are recommended:

Access Control Lists should be applied to all folders where users will save and load project files.
Maintain a trusted chain-of-custody on project files during creation, modification, distribution, and use.
Apply data-protection at the project level with a strong master password. For configuration step-by-step refer to AVEVA Edge "Technical Reference Manual" > Project Overview > Configuring Additional Project Settings > Options Tab > Data Protection.
If passwords are being used as function parameters inside project documents (such as scripts or worksheets), it is recommended to remove those passwords and use project tags instead. For more information on tags refer to AVEVA Edge "Technical Reference Manual" > Tags and the Tag Database > About Tags and the Project Database.

For information on how to reach AVEVA support for your product, please refer to this link: AVEVA Customer Support https://www.aveva.com/en/support/support-contact/ .

For more information, see AVEVA's Security Bulletin AVEVA-2025-006 https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2025-006.pdf or AVEVA's bulletins page https://www.aveva.com/en/support-and-success/cyber-security-updates/ .

Solutions

AVEVA recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

Users using the affected product versions should take the following actions to mitigate the risk of exploit:

Apply AVEVA Edge 2023 R2 P01 https://softwaresupportsp.aveva.com/en-US/downloads/products/details/38f52447-3013-4c4e-be6e-9b28b635bba9
Security Update and migrate old project files.
For projects that cannot be migrated (e.g. backups or transient copies), evaluate the risk of potential password leakage from these files and implement stricter read access controls to protect these unsafe files.
Require AVEVA Edge users to change their passwords.
Important: Edge project migration from older versions to 2023 R2 P01 is one-way due to the change in password hashing algorithms.

For information on how to reach AVEVA support for your product, please refer to this link: AVEVA Customer Support https://www.aveva.com/en/support/support-contact/ .For more information, see AVEVA's Security Bulletin AVEVA-2025-006 https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2025-006.pdf or AVEVA's bulletins page https://www.aveva.com/en/support-and-success/cyber-security-updates/ .

CVE-2025-9317 PUBLISHED

AVEVA Edge Use of a Broken or Risky Cryptographic Algorithm

Metrics

Product Status

Workarounds

Solutions

Credits

References

Problem Types