Risk Summary
Successful exploitation of this vulnerability could allow an attacker to perform remote code execution.
CVEs (1)
Remediations
- AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:
- From OSI Soft Customer Portal, search for "PI Web API" and select version "2023 SP1" or later.
- (Alternative) PI Web API 2021 SP3 can be fixed by upgrading PI AF Client to one of the versions specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03
- AVEVA further recommends users follow general defensive measures:
- Set "DisableWrites" configuration setting to true, if this instance of PI Web API is used only for reading data or GET requests.
- Uninstall Core Endpoints feature if this instance of PI Web API is used only for data collection from AVEVA Adapters. Keep OMF feature installed.
- Limit AF Servers' Administrators, so that most of the PI Web API user accounts don't have the permission to change the backend AF servers.
- For additional information please refer to AVEVA-2024-003
Affected Vendors
AVEVA
Affected Products (1)
AVEVA
·
PI Web API
<=2023
Affected Sectors
Critical Manufacturing
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more