OSIsoft PI Vision

MonitorCVSS 6.5ICS-CERT ICSA-21-313-05Nov 9, 2021

OSIsoft

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

OSIsoft PI Vision versions before 2021 contain cross-site scripting (CWE-79) and improper access control (CWE-863) vulnerabilities. These vulnerabilities could allow an authenticated user to inject malicious scripts into displays or bypass role-based access controls to view, modify, or delete process data and displays beyond their assigned permissions. The vulnerability is limited in scope to permissions granted to the PI Vision Application Pool Identity. CVSS v3.0 score is 6.5 (AV:N/AC:H/PR:L/UI:R/S:C). No known public exploits exist.

What this means

What could happen

An attacker with valid PI Vision credentials could view, modify, or delete process data and displays through cross-site scripting and improper access control, potentially exposing sensitive industrial process information or disrupting visualization of plant operations.

Who's at risk

Water and electric utilities using OSIsoft PI Vision for real-time monitoring and process display should care. This affects anyone relying on PI Vision dashboards to visualize plant operations, especially operators and engineers who depend on accurate and authorized access to process data and controls.

How it could be exploited

An attacker with valid PI Vision user credentials could inject malicious scripts into displays (CWE-79 stored XSS) or exploit insufficient role-based access controls (CWE-863) to access data or modify displays they should not have permission to change. The attacker needs to be a authenticated PI Vision user and may need to convince a legitimate user to click a malicious link or perform an action that triggers the vulnerability.

Prerequisites

Valid PI Vision user credentials (any role)
Network access to PI Vision web application
Victim user must interact with attacker-supplied content (link, display, or data)

Remotely exploitableLow authentication barrier (any valid user)Requires user interaction (UI:R)Affects data confidentiality and integrityNo patch available for versions before 2021

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

PI Vision - < 2021< 20212021

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays

WORKAROUNDRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool

HARDENINGUse only modern web browsers (Microsoft Edge, Google Chrome, Mozilla Firefox) and disable Internet Explorer access to PI Vision

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to OSIsoft PI Vision 2021 or later

Long-term hardening

0/2

HARDENINGRegularly audit the AF (Asset Framework) hierarchy to ensure no unexpected elements, attributes, or properties exist

HARDENINGConfigure dedicated identity mapping for PI Vision Application Pool and manage permissions according to data classification policy

CVEs (2)

CVE-2021-43551 CVE-2021-43553

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/39f992cb-11a8-4a72-b5ae-7aab24dabe7a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.