CVE-2022-28685 – CVE-2022-28685 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2022-28685?

CVE-2022-28685 has a CVSS score of 7.8 (HIGH). CVE-2022-28685 is a remote code execution vulnerability in AVEVA Edge 2020 SP2 Patch 0 (version 4201.2111.1802.0000) that allows attackers to execute arbitrary code by tricking users into opening malicious APP files. The vulnerability exists due to improper deserialization of untrusted data during APP file parsing. Organizations using the affected AVEVA Edge version are at risk.

📋 TL;DR

CVE-2022-28685 is a remote code execution vulnerability in AVEVA Edge 2020 SP2 Patch 0 (version 4201.2111.1802.0000) that allows attackers to execute arbitrary code by tricking users into opening malicious APP files. The vulnerability exists due to improper deserialization of untrusted data during APP file parsing. Organizations using the affected AVEVA Edge version are at risk.

💻 Affected Systems

Products:

AVEVA Edge

Versions: 2020 SP2 Patch 0 (4201.2111.1802.0000)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only this specific version is confirmed vulnerable. User interaction required (opening malicious APP file or visiting malicious page).

📦 What is this software?

Aveva Edge by Aveva

View all CVEs affecting Aveva Edge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Attacker executes malicious code with the privileges of the current user, potentially installing malware, stealing credentials, or establishing persistence on the system.

🟢

If Mitigated

If proper network segmentation and least privilege principles are applied, impact is limited to the isolated system with minimal lateral movement potential.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction but is technically straightforward once malicious file is opened. ZDI advisory suggests weaponization is likely given the RCE nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to AVEVA Edge 2020 SP2 Patch 1 or later

Vendor Advisory: https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf

Restart Required: Yes

Instructions:

1. Download the latest patch from AVEVA support portal. 2. Backup current configuration. 3. Install the patch following vendor instructions. 4. Restart the system. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict APP file execution

windows

Block execution of APP files from untrusted sources using application control policies

User education and file restrictions

all

Train users not to open APP files from unknown sources and implement email filtering for APP attachments

🧯 If You Can't Patch

Implement strict network segmentation to isolate AVEVA Edge systems from critical infrastructure
Apply the principle of least privilege to user accounts running AVEVA Edge to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check AVEVA Edge version in Help > About. If version is exactly 4201.2111.1802.0000, the system is vulnerable.

Check Version:

Check via GUI: Help > About in AVEVA Edge application

Verify Fix Applied:

Verify version in Help > About shows a version higher than 4201.2111.1802.0000, preferably 2020 SP2 Patch 1 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from AVEVA Edge executable
Failed attempts to load or parse APP files
Security software alerts about suspicious file operations

Network Indicators:

Outbound connections from AVEVA Edge process to unexpected external IPs
DNS requests for suspicious domains from the AVEVA Edge host

SIEM Query:

Process Creation where Parent Process Name contains 'AVEVA Edge' AND (Command Line contains '.app' OR Command Line contains suspicious patterns like powershell, cmd, wmic)

📊 Metadata

CVE ID: CVE-2022-28685

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: March 29, 2023

Last Updated: February 18, 2025

🔗 References

https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1124/ Third Party Advisory,VDB Entry
https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1124/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28685, you might also want to check these: