CVE-2025-36539
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AVEVA | PI Data Archive | 2023 <= 2018 SP3 Patch 4 | affected |
| AVEVA | PI Data Archive | 2023 Patch 1 | affected |
| AVEVA | PI Server | 2023 <= 2018 SP3 Patch 6 | affected |
| AVEVA | PI Server | 2023 Patch 1 <= 2018 SP3 Patch 6 | affected |
Weaknesses
- CWE-248: CWE-248
Workarounds
AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users with affected product versions should apply security updates to mitigate the risk of exploit.
AVEVA further recommends users follow general defensive measures:
Monitor liveness of PI Network Manager and PI Archive Subsystem services.
Set the PI Network Manager and PI Archive Subsystem services to automatically restart.
Limit Port 5450 access to trusted workstations and software.
For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements https://customers.osisoft.com/s/knowledgearticle .
Impact and severity of vulnerabilities can be reduced through industry accepted IT practices. Please consult your IT engineer for advice on how to best implement these firewall restrictions in your organization's architecture. OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration.
For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server https://customers.osisoft.com/s/knowledgearticle . For additional information please refer to AVEVA-2025-001 https://www.aveva.com/en/support-and-success/cyber-security-updates/ .
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-07
- https://www.aveva.com/en/support-and-success/cyber-security-updates/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.