CVE-2019-6543
CVE-2019-6543 is a critical-severity vulnerability in Aveva Indusoft Web Studio with a CVSS 3.x base score of 9.8. Its EPSS exploit-prediction score of 17% places it in the 97th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-306.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 17% (97th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-306
- Affected product: Aveva Indusoft Web Studio
- Published:
- Last modified:
Description
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine.
Frequently asked questions
- What is CVE-2019-6543?
- AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine.
- How severe is CVE-2019-6543?
- CVE-2019-6543 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-6543 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 17% (97th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2019-6543?
- CVE-2019-6543 primarily affects Aveva Indusoft Web Studio. In total, 29 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-6543?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2019-6543 published?
- CVE-2019-6543 was published on 2019-02-13 and last updated on 2026-06-17.
References
- https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01
- https://www.exploit-db.com/exploits/46342/
- https://www.tenable.com/security/research/tra-2019-04
Affected products (29)
- cpe:2.3:a:aveva:indusoft_web_studio:6.1:sp5:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:6.1:sp6_p3:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp1:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp2:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p1:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p2:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p3:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p4:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p5:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p6:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p7:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p8:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:7.1:sp3_p9:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.0:p1:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.0:p2:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.0:p3:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp1_p1:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.0:sp2_p1:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.1:p1:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp1:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp1_p1:*:*:*:*:*:*
- cpe:2.3:a:aveva:indusoft_web_studio:8.1:sp2:*:*:*:*:*:*
- cpe:2.3:a:aveva:intouch_machine_edition_2014:r2:*:*:*:*:*:*:*
More vulnerabilities in Aveva Indusoft Web Studio
- CVE-2018-17916 — Critical (CVSS 9.8): InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior…
- CVE-2018-17914 — Critical (CVSS 9.8): InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior…
- CVE-2018-10620 — Critical (CVSS 9.8): AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could…
- CVE-2019-6545 — High (CVSS 7.5): AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine…
All CVEs affecting Aveva Indusoft Web Studio →
Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities
- CVE-2026-54309 — Critical (CVSS 10.0): n8n is an open source workflow automation platform. Prior to 2.25.7 and 2.26.2, when @n8n/mcp-browser is run in HTTP…
- CVE-2026-50242 — Critical (CVSS 10.0): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2026-49257 — Critical (CVSS 10.0): mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1…
- CVE-2026-46846 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46803 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework).…
- CVE-2026-46800 — Critical (CVSS 10.0): Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites).…
Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →