OSIsoft PI Web API versions before 2017 (1.9.0) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can trick a logged-in PI Web API user into performing unintended actions on the historian database, including creating, modifying, or deleting data points and configuration elements. The vulnerability requires no special privileges and can be exploited with low skill by crafting a malicious webpage.
What this means
What could happen
A remote attacker could trick a PI Web API user into performing unauthorized actions on the historian (creating, modifying, or deleting data points and assets) by crafting a malicious webpage or email. This could corrupt operational data or disrupt access to critical process information.
Who's at risk
Water utilities and electric utilities that use OSIsoft PI Web API for remote access to PI historians and asset data are affected. This includes operators, engineers, and administrators who access PI Web API through a web browser from workstations connected to your network or remote access.
How it could be exploited
An attacker crafts a malicious webpage and tricks a user of PI Web API into visiting it while logged in. The webpage contains hidden requests that perform unauthorized actions on the historian using the victim's authenticated session. The attacker does not need any credentials themselves—they exploit the user's existing login.
Prerequisites
User must be logged into PI Web API in the same browser session
User must visit an attacker-controlled or compromised webpage while logged in
No authentication or network-level access to PI Web API needed beyond being reachable from the user's workstation
remotely exploitableno authentication required from attackerlow complexityuser interaction required (but user is not suspicious of normal browsing)affects data integrity of operational historian
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
PI Web API:< 2017 (1.9.0)2017 (1.9.0)
Remediation & Mitigation
OSIsoft recommends that users upgrade to the PI Web API version 2017 (1.9.0) and enable CSRF defense. To enable this option, set the configuration attribute ‘EnableCSRFDefense' to ‘True' in the PI Web API System Configuration element. This element is located at the path "..\OSIsoft\PI Web API\PIWebAPIMachineName\System Configuration" in PI AF Server Configuration database.
A new installation of PI Web API 2017 (1.9.0) enables CSRF protection by default.