OSIsoft PI Vision

Monitor4.8ICS-CERT ICSA-19-043-01Feb 12, 2019

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

A cross-site scripting (XSS) vulnerability in OSIsoft PI Vision 2017 and 2017 R2 allows an attacker with high-level credentials to inject malicious script code into the PI Vision web interface. When a victim views the compromised page, the script executes in their browser, enabling the attacker to read and modify the contents of the PI Vision web page and associated application data displayed to that user. This affects the integrity of operational data visualization in industrial monitoring systems.

What this means

What could happen

An attacker could read and modify contents displayed on the PI Vision web page and associated application data within a victim's browser, potentially affecting the integrity of industrial process visualization and monitoring.

Who's at risk

Water utilities and electric utilities using OSIsoft PI Vision 2017 or 2017 R2 for real-time industrial process monitoring and visualization. Particularly affects organizations where PI Vision displays critical operational data such as pressure, flow, voltage, or system state information that operators and engineers rely on for decision-making.

How it could be exploited

An attacker with high-level credentials crafts a malicious web request containing script code (stored or reflected cross-site scripting) targeting a PI Vision administrator or operator. When the victim accesses the affected PI Vision page in their browser, the attacker's script executes in the context of the victim's session, allowing the attacker to view and modify displayed data and page contents.

Prerequisites

High-level user credentials (administrator or operator role) on PI Vision
User interaction required: victim must view the malicious PI Vision page in their browser
Network access to the PI Vision web server

Remotely exploitable over networkRequires high-level credentials (reduces risk)User interaction required (reduces risk)Affects data integrity and visualization of operational data

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

PI Vision: 2017 R22017 R2No fix yet

PI Vision: 20172017No fix yet

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict data sources added to PI Vision to only verified legitimate sources; configure appropriate access controls on all data items

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Vision 2017 to version 2017 R2 SP1

HOTFIXUpgrade PI Vision 2017 R2 to version 2017 R2 SP1

Long-term hardening

0/1

HARDENINGReview and apply web security guidance in OSIsoft KB01631 for PI Vision configuration

CVEs (1)

CVE-2018-19006

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/707a2d9a-1fd9-441f-a5b9-81d94939ec98