CVE-2024-6456

SQL Injection vulnerability in AVEVA Historian Server

Description

AVEVA Historian Server has a vulnerability, if exploited, could allow a malicious SQL command to execute under the privileges of an interactive Historian REST Interface user who had been socially engineered by a miscreant into opening a specially crafted URL.

Remediation

Solution:

  • AVEVA recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. Users with affected product versions should apply security updates as soon as possible. AVEVA recommends Historian is upgraded by AVEVA System Platform media: * (Recommended) All affected versions can be fixed by upgrading to AVEVA System Platform 2023 R2 P01 https://softwaresupportsp.aveva.com/#/producthub/details * (Alternative 1) Historian 2023 through 2023 P03 can be fixed by upgrading to AVEVA System Platform 2023 P04 https://softwaresupportsp.aveva.com/#/producthub/details * (Alternative 2) Historian 2020 R2 through 2020 R2 SP1 P01 can be fixed by first upgrading to AVEVA System Platform 2020 R2 SP1 P01 and then applying Hotfix 3190476. Please contact AVEVA Global Customer Support https://www.aveva.com/en/support/support-contact/  for instructions on how to download and apply this security fix. AVEVA also recommends the following general defensive measures: * Establish procedures for Historian REST Interface users to verify the source of URLs shared with them is trusted before opening. For information on how to reach AVEVA support for your product, please refer to this link: AVEVA Customer Support https://www.aveva.com/en/support/support-contact/ . If you discover errors or omissions in this advisory, please report the finding to Support. For the latest AVEVA security information and security updates, please visit AVEVA Security Central https://softwaresupportsp.aveva.com/#/securitycentral . Aveva recommends users looking for general information regarding how to secure Industrial Control Systems reference the NIST Guide to Operational Technology (OT) Security, NIST SP800-82r3 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf . For more information, see AVEVA's Security Bulletin AVEVA-2024-005. https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2024-005.pdf

Category

8.5
CVSS
Severity: High
CVSS 4.0 •
EPSS 0.24%
Affected: AVEVA Historian Web Server
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-24-228-10 government resource

Frequently Asked Questions

What is the severity of CVE-2024-6456?
CVE-2024-6456 has been scored as a high severity vulnerability.
How to fix CVE-2024-6456?
To fix CVE-2024-6456: AVEVA recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. Users with affected product versions should apply security updates as soon as possible. AVEVA recommends Historian is upgraded by AVEVA System Platform media: * (Recommended) All affected versions can be fixed by upgrading to AVEVA System Platform 2023 R2 P01 https://softwaresupportsp.aveva.com/#/producthub/details * (Alternative 1) Historian 2023 through 2023 P03 can be fixed by upgrading to AVEVA System Platform 2023 P04 https://softwaresupportsp.aveva.com/#/producthub/details * (Alternative 2) Historian 2020 R2 through 2020 R2 SP1 P01 can be fixed by first upgrading to AVEVA System Platform 2020 R2 SP1 P01 and then applying Hotfix 3190476. Please contact AVEVA Global Customer Support https://www.aveva.com/en/support/support-contact/  for instructions on how to download and apply this security fix. AVEVA also recommends the following general defensive measures: * Establish procedures for Historian REST Interface users to verify the source of URLs shared with them is trusted before opening. For information on how to reach AVEVA support for your product, please refer to this link: AVEVA Customer Support https://www.aveva.com/en/support/support-contact/ . If you discover errors or omissions in this advisory, please report the finding to Support. For the latest AVEVA security information and security updates, please visit AVEVA Security Central https://softwaresupportsp.aveva.com/#/securitycentral . Aveva recommends users looking for general information regarding how to secure Industrial Control Systems reference the NIST Guide to Operational Technology (OT) Security, NIST SP800-82r3 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf . For more information, see AVEVA's Security Bulletin AVEVA-2024-005. https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2024-005.pdf
Is CVE-2024-6456 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-6456 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-6456?
CVE-2024-6456 affects AVEVA Historian Web Server.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.