OSIsoft PI Vision

MonitorCVSS 6.1ICS-CERT ICSA-18-072-03Mar 13, 2018

OSIsoft

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

PI Vision versions 2017 and earlier contain cross-site scripting (CWE-693) and information disclosure (CWE-200) vulnerabilities in the web interface. These flaws allow an attacker to inject malicious scripts that execute in the context of a user's browser session, potentially exposing sensitive process data or manipulating displayed information. The vulnerability requires user interaction (clicking a malicious link) but can be exploited remotely with low skill. OSIsoft recommends upgrading to PI Vision 2017 R2 Update 1.

What this means

What could happen

An attacker could steal sensitive process data or plant information through PI Vision's web interface, or modify displayed data to mislead operators about system status.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using OSIsoft PI Vision 2017 or earlier for real-time process visualization and monitoring should prioritize this update. PI Vision is commonly used to display live data from PLCs, RTUs, and historians across water treatment, power distribution, and manufacturing facilities.

How it could be exploited

An attacker could craft a malicious link or embed malicious script in web pages that PI Vision users visit. When an operator clicks the link or visits the page, the script runs in their browser within the PI Vision session, allowing the attacker to read sensitive process data or manipulate what the operator sees on screen.

Prerequisites

User must click a malicious link or visit a compromised web page while logged into PI Vision
PI Vision must be accessible from the network where the attacker can reach it

remotely exploitableno authentication requiredlow complexityaffects critical process visualization systems

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

PI Vision:≤ 20172017 R2 Update 1

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGTrain operators to avoid clicking suspicious links and to verify the URL before entering credentials into PI Vision

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Vision to version 2017 R2 Update 1 or later

Long-term hardening

0/1

HARDENINGRestrict network access to PI Vision web servers using firewall rules to limit exposure to trusted engineering and monitoring networks only

CVEs (2)

CVE-2018-7504 CVE-2018-7496

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fe81bd9f-441d-40b8-b184-88078b2e1fd3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.