CVE-2025-44019

Summary

AVEVA PI Data Archive products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service. Depending on the timing of the crash, data present in snapshots/write cache may be lost.

Affected Software

VendorProductVersion RangeStatus
AVEVAPI Data Archive0 <= 2018 SP3 Patch 4affected
AVEVAPI Data Archive2023affected
AVEVAPI Data Archive2023 Patch 1affected
AVEVAPI Server0 <= 2018 SP3 Patch 6affected
AVEVAPI Server2023affected
AVEVAPI Server2023 Patch 1affected

Weaknesses

  • CWE-248: CWE-248

Workarounds

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users with affected product versions should apply security updates to mitigate the risk of exploit. 

AVEVA further recommends users follow general defensive measures:

  • Monitor liveness of PI Network Manager and PI Archive Subsystem services.

  • Set the PI Network Manager and PI Archive Subsystem services to automatically restart.

  • Limit Port 5450 access to trusted workstations and software.

  • For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements https://customers.osisoft.com/s/knowledgearticle .

  • Impact and severity of vulnerabilities can be reduced through industry accepted IT practices. Please consult your IT engineer for advice on how to best implement these firewall restrictions in your organization's architecture. OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration.

  • For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server https://customers.osisoft.com/s/knowledgearticle .

For additional information please refer to AVEVA-2025-001 https://www.aveva.com/en/support-and-success/cyber-security-updates/ .

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References