AVEVA Edge Password Hashing Vulnerability Allowing Password Recovery via Brute Force

A vulnerability exists in AVEVA Edge (formerly InduSoft Web Studio) versions 2023 R2 and prior. This issue arises from the use of weak hashing algorithms, specifically MD5, to encrypt passwords. If exploited, the vulnerability could enable a local attacker with read access to Edge Project files or Edge Offline Cache files to reverse engineer passwords by brute-forcing the hashes. This applies to both app-native and Active Directory passwords.

Impact

Exploitation of this vulnerability could lead to the recovery of hashed passwords, which could then be used to access user accounts.

Remediation

Users are advised to update to AVEVA Edge 2023 R2 P01 or higher, which addresses this vulnerability. After updating, it is important to migrate old project files, as the migration process is one-way due to changes in the password hashing algorithms. For projects that cannot be migrated, evaluate the risk of password leakage from these files and implement stricter read access controls. Additionally, users should be required to change their passwords. For more information, see AVEVA's Security Bulletin AVEVA-2025-006.