CVE-2022-36969 – This XXE vulnerability in AVEVA Edge 2020 allow... (How to Fix)

Q: What is the severity of CVE-2022-36969?

CVE-2022-36969 has a CVSS score of 7.1 (HIGH). This XXE vulnerability in AVEVA Edge 2020 allows attackers to read sensitive files from the system when users open malicious documents. Attackers can exploit this to steal configuration files, credentials, or other sensitive data. Only installations of AVEVA Edge 2020 SP2 Patch 0 are affected.

📋 TL;DR

This XXE vulnerability in AVEVA Edge 2020 allows attackers to read sensitive files from the system when users open malicious documents. Attackers can exploit this to steal configuration files, credentials, or other sensitive data. Only installations of AVEVA Edge 2020 SP2 Patch 0 are affected.

💻 Affected Systems

Products:

AVEVA Edge 2020

Versions: SP2 Patch 0 (4201.2111.1802.0000)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the specific patch version. Requires user interaction to open malicious files.

📦 What is this software?

Aveva Edge by Aveva

View all CVEs affecting Aveva Edge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through credential theft, configuration file exfiltration, and potential lateral movement within the network.

🟠

Likely Case

Sensitive file disclosure including configuration files, local user data, and potentially credentials stored in accessible locations.

🟢

If Mitigated

Limited impact with proper network segmentation and user awareness training preventing malicious document execution.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious content but could be delivered via web interfaces or email.

🏢 Internal Only: HIGH - Internal users opening malicious documents could lead to significant data exposure within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction but is technically simple once malicious document is opened. ZDI advisory suggests weaponization is likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions than SP2 Patch 0

Vendor Advisory: https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf

Restart Required: Yes

Instructions:

1. Download latest AVEVA Edge 2020 update from official vendor portal. 2. Backup current configuration. 3. Install update following vendor instructions. 4. Restart system. 5. Verify version is updated.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure XML parser to disable external entity resolution

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Restrict file types

windows

Block opening of untrusted XML-based documents

🧯 If You Can't Patch

Implement strict user awareness training about opening untrusted documents
Network segmentation to isolate AVEVA Edge systems from sensitive data stores

🔍 How to Verify

Check if Vulnerable:

Check AVEVA Edge version in Help > About. If version is exactly 4201.2111.1802.0000, system is vulnerable.

Check Version:

In AVEVA Edge: Help > About displays version information

Verify Fix Applied:

Verify version is different from 4201.2111.1802.0000 after patching. Test with safe XXE payload to confirm parser blocks external entities.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from AVEVA Edge process
Multiple failed attempts to access system files
XML parsing errors with external entity references

Network Indicators:

Outbound connections to unusual URIs during document processing
Data exfiltration patterns from AVEVA Edge system

SIEM Query:

process_name="AVEVA Edge" AND (file_access_denied OR xml_parsing_error)

📊 Metadata

CVE ID: CVE-2022-36969

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CWE: CWE-611

Published: March 29, 2023

Last Updated: February 18, 2025

🔗 References

https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1128/ Third Party Advisory,VDB Entry
https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1128/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36969, you might also want to check these: