← Back to home
ICSA-16-313-03  ·  Published 2025-06-05  ·  View on CISA ICS-CERT ↗

OSIsoft PI System Incomplete Model of Endpoint Features Vulnerability

CVSS 7.1 HIGH

CVEs (1)

Remediations

  • To fully address potential for data loss or disconnection due to this issue, OSIsoft encourages users to upgrade to: PI Buffer Subsystem Version 4.5.0 or later, PI AF Client 2016 Version 2.8.0 or later, PI SDK 2016 Version 1.4.6 or later, PI Data Archive 2016 Version 3.4.400.1162 or later
  • For additional information about the vulnerability and recommended mitigation plan, OSIsoft’s security bulletin AL00308, OSIsoft Releases Security Updates for Core Networking Component in PI System 2016 is available at the following location: (https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308)
  • In order to perform the upgrades, users can use the PI AF Client 2016 Install Kit to upgrade PI AF Client and the PI Buffer Subsystem together. Users can use the PI SDK 2016 Install Kit to upgrade the PI SDK. If PI Buffer Subsystem is installed on a machine without PI AF Client, users can use the PI Interface Configuration Utility (ICU) Install Kit (1.4.16.79B) to upgrade buffering without installing the PI AF Client software.
  • OSIsoft also offers the following defensive measures: Use transport security protection for all remote connections to the PI Data Archive Server to block attacks from adjacent networks. PI AF Client 2015, Version 2.7 and PI Buffer Subsystem, Version 4.4 automatically enable transport security with PI Data Archive Server 2015, Version 3.4.395.64 or later when the connecting application uses Windows Integrated Security (WIS). In order to verify an application is connecting with WIS and using transport security, review the PI Data Archive Server message log entries. For each successful connection, there will be a message with event ID 7082. The Method should be “Windows Login,” and if the connection is using transport security, then the ciphers will also be listed. If users are running PI Data Archive PR1, Version 3.4.375.38, to avoid data loss, it is imperative to upgrade PI SDK, PI AF Client, and PI Buffer Subsystem nodes before the PI Data Archive.

Affected Vendors

OSIsoft

Affected Products (4)

OSIsoft · Applications using PI Asset Framework (AF) Client 2016 <2.8.0
OSIsoft · Applications using PI Software Development Kit (SDK) 2016 <1.4.6
OSIsoft · PI Buffer Subsystem <=4.4
OSIsoft · PI Data Archive 2105 <3.4.395.64

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more