CVE-2019-6545 in InduSoft Web Studio
Summary
by MITRE
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/31/2025
The vulnerability identified as CVE-2019-6545 affects AVEVA Software products including InduSoft Web Studio versions prior to 8.1 SP3 and InTouch Edge HMI versions prior to 2017 Update, representing a critical remote code execution flaw that undermines the security posture of industrial control systems. This vulnerability stems from insufficient input validation within the database connection configuration file processing mechanism, allowing malicious actors to craft specially formatted configuration files that trigger arbitrary code execution on the target server. The flaw exists in the way these industrial automation platforms handle database connection parameters, specifically when parsing configuration data that should be restricted to legitimate connection strings and credentials.
The technical implementation of this vulnerability involves a path traversal and code injection vector where an unauthenticated remote attacker can manipulate database connection configuration files to execute malicious commands with the privileges of the running application. This represents a classic command injection vulnerability that falls under CWE-78, which describes improper neutralization of special elements used in OS commands. The vulnerability is particularly dangerous in industrial environments where these products are commonly deployed, as it allows attackers to gain unauthorized access to critical infrastructure control systems without requiring authentication credentials.
The operational impact of CVE-2019-6545 extends beyond simple remote code execution, as it can enable attackers to establish persistent access to industrial control systems and potentially compromise the entire operational technology infrastructure. This vulnerability aligns with ATT&CK technique T1203, which covers legitimate credentials, but in this case the attack vector bypasses authentication entirely through configuration file manipulation. The implications are severe for critical infrastructure sectors including manufacturing, energy, and water utilities where these products are extensively deployed, as the vulnerability could enable attackers to disrupt operations, manipulate process controls, or exfiltrate sensitive operational data.
Security professionals should consider implementing network segmentation and access controls to limit exposure to this vulnerability, while also deploying intrusion detection systems to monitor for suspicious configuration file modifications. The recommended mitigation strategy involves upgrading to the patched versions of InduSoft Web Studio 8.1 SP3 and InTouch Edge HMI 2017 Update, which address the input validation flaws through proper sanitization of database connection parameters. Additionally, organizations should conduct comprehensive vulnerability assessments of their industrial control system environments to identify any other potentially affected systems and implement network monitoring to detect unauthorized configuration file changes that might indicate exploitation attempts.