CVE-2025-4417

Summary

A cross-site scripting vulnerability exists in AVEVA PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by other users who visit affected pages.

Affected Software

VendorProductVersion RangeStatus
AVEVAPI Connector for CygNet0 <= 1.6.14affected

Weaknesses

  • CWE-79: CWE-79

Workarounds

AVEVA further recommends users follow general defensive measures:

  • Ensure that PI Connector for CygNet administrative access is only provided to trusted entities.

  • Audit custom installation folder Access Control Lists (ACLs) to ensure access is only provided to trusted entities.

  • Audit and limit membership to the OS Local "Administrators" and "PI Connector Administrators" groups.

For additional information please refer to AVEVA-2025-002 https://www.aveva.com/en/support-and-success/cyber-security-updates/

.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References