OTPulse
FeedAboutContact

AVEVA PI Web API

Plan Patch7.6ICS-CERT ICSA-24-163-02Jun 11, 2024
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

This vulnerability in AVEVA PI Web API allows authenticated users to perform remote code execution through a deserialization flaw (CWE-502). Affected versions include PI Web API 2023 and earlier. Successful exploitation could allow an attacker with valid credentials to execute arbitrary commands on the PI Web API server, potentially compromising historian data integrity, disrupting operator access to process information, or altering data used for process decisions.

What this means
What could happen
An attacker with valid user credentials could execute arbitrary code on your PI Web API server, potentially allowing them to manipulate historian data, alter process parameters, or disrupt access to live and historical plant data that operators rely on for process control and monitoring.
Who's at risk
Water utilities, electric utilities, and other process industries that rely on AVEVA PI System for data historians and real-time analytics. PI Web API is commonly used as the interface for SCADA frontends, operator dashboards, and remote monitoring applications. Any organization using PI Web API versions 2023 or earlier is at risk.
How it could be exploited
An attacker must first obtain valid credentials for a PI Web API user account (through phishing, credential compromise, or insider access). Once authenticated, they can exploit the vulnerability to run arbitrary code on the PI Web API server with the privileges of the service account.
Prerequisites
  • Valid PI Web API user account credentials
  • Network access to PI Web API port (typically 443/HTTPS)
  • PI Web API version 2023 or earlier deployed
Remotely exploitable via HTTPSRequires valid user credentials (low barrier if credentials are compromised)Low attack complexityAffects data historian and process visibility systemsNo patch available for PI Web API versions prior to 2023 SP1
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (1)
ProductAffected VersionsFix Status
PI Web API: <=2023≤ 20232023 SP1 or later
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDSet the 'DisableWrites' configuration setting to true on PI Web API instances that only perform data reads or GET requests
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Web API to version 2023 SP1 or later
HOTFIXIf running PI Web API 2021 SP3, upgrade PI AF Client to the version specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03
HARDENINGUninstall the Core Endpoints feature from PI Web API instances used only for data collection from AVEVA Adapters (keep OMF feature installed)
Long-term hardening
0/1
HARDENINGRestrict AF Servers' Administrator role membership to minimize the number of PI Web API user accounts with backend server modification permissions
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0f842d87-1921-4be3-90ee-212aefa59c3b
AVEVA PI Web API | CVSS 7.6 - OTPulse