CVE-2025-41415
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to access publication targets) to retrieve sensitive information that could then be used to gain additional access to downstream resources.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AVEVA | PI Integrator | 0 < 2020 R2 SP1 | affected |
Weaknesses
- CWE-201: CWE-201
Workarounds
Additionally, AVEVA recommends the following general defensive measures:
Audit assigned permissions to ensure that only trusted users are given access rights to publication targets: https://docs.aveva.com/bundle/pi-integrator-for-business-analytics/page/1013185.html
Ensure publication targets of type Text File or HDFS are configured to limit allowed output file extensions and limit output folders to be logically isolated from critical system components or executable paths:
https://docs.aveva.com/bundle/pi-integrator-for-business-analytics/page/1023019.html https://learn.microsoft.com/en-us/intune/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2025-004.pdf
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-04
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.