PatchSiren cyber security CVE debrief
CVE-2025-8386 AVEVA CVE debrief
CVE-2025-8386 is a configuration-time flaw in AVEVA Application Server IDE. According to the CISA advisory, an authenticated user with aaConfigTools privileges can tamper with App Objects' help files and persist a cross-site scripting payload that may be triggered by a victim user, enabling horizontal or vertical privilege escalation. AVEVA states that runtime components and operations are not affected, and the vendor fix is available in AVEVA System Platform 2023 R2 SP1 P03 or later.
- Vendor
- AVEVA
- Product
- Application Server
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-11-13
- Original CVE updated
- 2025-11-13
- Advisory published
- 2025-11-13
- Advisory updated
- 2025-11-13
Who should care
Organizations using AVEVA Application Server IDE for configuration work should care most, especially teams that assign aaConfigTools broadly or allow multiple trusted administrators to use the IDE. Security and operations teams responsible for industrial control system environments should treat this as an access-control and integrity issue in the configuration workflow.
Technical summary
The issue is described as a persistent XSS condition in App Objects' help files within the IDE component of AVEVA Application Server. Successful abuse requires authenticated access with aaConfigTools privileges and user interaction from a victim who opens the affected content. The supplied CVSS v3.1 vector is AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L, scored 6.9. CISA notes that the weakness is limited to config-time operations and does not affect run-time components.
Defensive priority
Medium. The vulnerability requires authenticated high-privilege access and user interaction, but it can lead to privilege escalation and persistent malicious content in the configuration environment.
Recommended defensive actions
- Upgrade affected systems to AVEVA System Platform 2023 R2 SP1 P03 or higher.
- Audit assigned permissions and ensure only trusted users are members of the aaConfigTools OS Group.
- Review AVEVA Security Bulletin AVEVA-2025-005 and follow the vendor's guidance for the affected deployment.
- Evaluate the impact of the advisory against your specific operational environment, architecture, and product implementation before and during remediation.
- Keep the IDE configuration workflow restricted to authorized administrators and limit unnecessary access to configuration-time tools.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory ICSA-25-317-02 for AVEVA Application Server IDE and the associated official references. The advisory description states that an authenticated miscreant with aaConfigTools privileges can tamper with App Objects' help files and persist XSS, and that only config-time IDE operations are affected. Supplied timeline fields show publishedAt and modifiedAt as 2025-11-13T07:00:00.000Z, and the supplied enrichment indicates no KEV listing.
Official resources
-
CVE-2025-8386 CVE record
CVE.org
-
CVE-2025-8386 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSA-25-317-02 on 2025-11-13; the supplied timeline shows the same date for publication and modification, and no KEV entry is indicated in the provided enrichment.