AVEVA Application Server IDE Vulnerability Executive Summary CVSS v4.7.2 Attention: Low attack complexity Vendor: AVEVA Equipment: Application Server IDE Vulnerability: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Risk Evaluation Successful exploitation could allow tampering with help files and injecting cross-site scripting (XSS) code. Technical Details Affected Products Application Server: Versions 2023 R2 SP1 P02 and prior Vulnerability Overview CVE-2025-8386: CVSS v3.1 base score of 6.9; CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L) CVE-2025-8386: CVSS v4 base score of 7.2; CVSS vector string is (AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H) Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United Kingdom Researcher AVEVA reported this vulnerability to CISA. Mitigations Fix: Upgrade to AVEVA System Platform 2023 R2 SP1 P03 or higher. Security Recommendations: - Audit assigned permissions to ensure only trusted users are added to the "aaConfigTools" OS Group. - Minimize network exposure for all control system devices. - Use secure methods like Virtual Private Networks (VPNs) for remote access. - Implement recommended cybersecurity strategies for proactive defense of ICS assets. Update History November 13, 2025: Initial Republication of AVEVA-2025-005 Tags Sector: Critical Manufacturing Sector Topics: Industrial Control System Vulnerabilities, Industrial Control Systems