WECON PI Studio (Update A)

MonitorCVSS 7.8ICS-CERT ICSA-18-277-01Oct 4, 2018

WECONManufacturing

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

WECON PI Studio versions 4.1.9 and earlier (HMI) and 4.2.125 and earlier contain multiple vulnerabilities (CWE-121 buffer overflow, CWE-787 out-of-bounds write, CWE-611 XML external entity injection, CWE-125 out-of-bounds read) that allow local code execution and information disclosure under administrator context. These vulnerabilities are not remotely exploitable and require local access to the system. No public exploits are currently known. WECON has not released a fixed version and is working with CISA to develop patches.

What this means

What could happen

An attacker with local access to a PI Studio workstation could execute arbitrary code with administrator privileges, potentially enabling them to modify HMI screens, alter process logic, or exfiltrate sensitive configuration and operational data.

Who's at risk

Manufacturing facilities using WECON PI Studio for HMI (Human-Machine Interface) and industrial automation engineering. This includes water treatment plants, electrical utilities, chemical manufacturers, and food/beverage producers that rely on PI Studio for supervisory control and visualization of processes. The risk is highest in environments where engineering workstations are shared or have weak access controls.

How it could be exploited

An attacker must have local access to a PI Studio engineering workstation or HMI system (not remotely exploitable). The attacker could trigger the vulnerability through user interaction (opening a malicious file or project), leading to code execution in the context of the logged-in administrator account.

Prerequisites

Local access to PI Studio workstation or HMI system
Administrator account active or user interaction with malicious content
No remote exploitation possible

No patch availableAffects HMI/engineering systemsCode execution with administrator privilegesLocal access required (insider risk or physical access)Low EPSS score but high severityNot remotely exploitable

Exploitability

Some exploitation risk — EPSS score 1.2%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

PI Studio HMI:≤ 4.1.9No fix (EOL)

PI Studio:≤ 4.2.125No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGRestrict physical and local access to PI Studio engineering workstations and HMI systems to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable network shares and USB access on PI Studio systems where feasible to limit attack surface for local code execution

HOTFIXMonitor for vendor updates and apply PI Studio patches immediately when available

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: PI Studio HMI:, PI Studio:. Apply the following compensating controls:

HARDENINGIsolate PI Studio workstations on a separate engineering network segment, segregated from business and internet-connected systems using firewalls

HARDENINGImplement application allowlisting on PI Studio workstations to prevent execution of unauthorized code

HARDENINGMaintain endpoint detection and response (EDR) tools on engineering workstations to detect suspicious behavior

CVEs (4)

CVE-2018-14818 CVE-2018-14810 CVE-2018-17889 CVE-2018-14814

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bc1d1a87-951a-4530-afdb-52388280ef19

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.