CVE-2025-5015 Parsons CVE debrief

Who should care

Administrators and security teams responsible for Parsons Utility Enterprise Data Management 3.30, 4.02 through 4.26, 5.03, 5.18, and AclaraONE Utility Portal versions below 1.22 should review this immediately. It matters most for internet-facing utility portals, on-prem deployments, and any environment where widget configuration can be changed through the web interface.

Technical summary

CISA’s advisory describes a cross-site scripting vulnerability in the AccuWeather and Custom RSS widget. The reported condition allows an unauthenticated user to replace the RSS feed URL with a malicious one. The supplied CVSS vector, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicates a network-reachable issue with low attack complexity, no privileges required, user interaction required, and potentially severe confidentiality, integrity, and availability impact once a victim interacts with the malicious content. The CSAF record maps the issue to Parsons Utility Enterprise Data Management and AclaraONE Utility Portal affected versions.

Defensive priority

High — verify exposure and patch status now, with special attention to on-premises AclaraONE installations and any externally reachable portal instances.

Recommended defensive actions

• Confirm whether any deployment matches the affected version ranges listed in the CSAF advisory.
• For AclaraONE on-premises customers, obtain and apply the vendor patch through the Aclara Connect Customer Portal or contact Aclara Support as directed in the advisory.
• For Parsons-managed and Aclara-hosted instances, verify with the provider that the instance is already on a patched release and document that status.
• Review widget and RSS feed configuration for unexpected URL changes or unauthorized edits.
• Monitor application and access logs for suspicious widget configuration changes and user-reported browser anomalies.
• Use the CISA ICS recommended practices links in the advisory to reinforce web access control, least privilege, and defensive monitoring around the portal.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-25-175-06 and the accompanying raw CSAF record for CVE-2025-5015. The advisory was initially published on 2025-06-24 and describes an unauthenticated XSS issue in the AccuWeather and Custom RSS widget. The CSAF record lists affected versions for Parsons Utility Enterprise Data Management and AclaraONE Utility Portal, and it states that Parsons-managed instances were patched as of 2025-01-07, Aclara-hosted instances were patched as of 2025-02-07, and on-premises customers must apply a patch obtained through Aclara Connect.

Official resources