CVE-2019-6543

CRITICAL

AVEVA InduSoft Web Studio - Missing Authentication for Critical Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-6543. PoCs published by Jacob Baines.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated remote code execution vulnerability in Indusoft Web Studio by crafting a malicious DB.xdc file and leveraging SMB server interaction to trigger arbitrary command execution (e.g., calc.exe). The exploit uses a custom protocol to send commands to the target and validates the response.

Description

AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine.

Exploits (1)

exploitdb WORKING POC
by Jacob Baines · pythonremotemultiple
https://www.exploit-db.com/exploits/46342

This exploit demonstrates an unauthenticated remote code execution vulnerability in Indusoft Web Studio by crafting a malicious DB.xdc file and leveraging SMB server interaction to trigger arbitrary command execution (e.g., calc.exe). The exploit uses a custom protocol to send commands to the target and validates the response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Indusoft Web Studio 8.1 SP2 and below
No auth needed
Prerequisites: Network access to the target's port (default 1234) · SMB server accessible from the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46342/
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2019-04

Scores

CVSS v3 9.8
EPSS 0.1729
EPSS Percentile 96.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-306
Status published
Products (5)
aveva/indusoft_web_studio 6.1 sp5 (2 CPE variants)
aveva/indusoft_web_studio 7.1 (13 CPE variants)
aveva/indusoft_web_studio 8.0 (8 CPE variants)
aveva/indusoft_web_studio 8.1 (5 CPE variants)
aveva/intouch_machine_edition_2014 r2
Published Feb 13, 2019
Tracked Since Feb 18, 2026