AVEVA PI Data Archive

Plan Patch7.1ICS-CERT ICSA-25-162-07Jun 12, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

AVEVA PI Server and PI Data Archive contain vulnerabilities (CVE-2025-44019, CVE-2025-36539) that allow an authenticated attacker to trigger unhandled exceptions and denial-of-service conditions in the system subsystems. The affected versions include PI Data Archive and PI Server up to and including 2023 Patch 1, and 2018 SP3 Patch 6 or earlier. Successful exploitation shuts down necessary subsystems and causes denial-of-service, disrupting process data collection and archival functions.

What this means

What could happen

An attacker with valid credentials could trigger denial-of-service conditions in PI Data Archive or PI Server subsystems, potentially stopping data collection and archival functions across your process monitoring infrastructure.

Who's at risk

Water utilities and electric utilities relying on AVEVA PI Server or PI Data Archive for real-time process monitoring, historian data collection, and SCADA integration. This includes any facility using PI for asset health monitoring, trend analysis, or operational reporting.

How it could be exploited

An attacker with valid login credentials accesses the PI Server or PI Data Archive web interface or API (network-accessible) and sends crafted requests that cause an unhandled exception in the subsystem, crashing the service and blocking data flow.

Prerequisites

Valid user credentials (engineering workstation login or service account)
Network access to PI Server or PI Data Archive on port 5450 (default) or configured web/API port
PI Server or PI Data Archive process must be running

Requires valid credentials (authenticated attack)Low complexity exploitationNo patch available for 2018 and 2023 versions unless upgraded to 2024Affects availability of critical monitoring infrastructure

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

PI Data Archive: <=2018_SP3_Patch_4≤ 2018 SP3 Patch 42024 or higher (or 2018 SP3 Patch 7 or higher)

PI Server: <=2018_SP3_Patch_6≤ 2018 SP3 Patch 62024 or higher (or 2018 SP3 Patch 7 or higher)

PI Data Archive: 202320232024 or higher (or 2018 SP3 Patch 7 or higher)

PI Data Archive: 2023_Patch_12023 Patch 12024 or higher (or 2018 SP3 Patch 7 or higher)

PI Server: 202320232024 or higher (or 2018 SP3 Patch 7 or higher)

PI Server: 2023_Patch_12023 Patch 12024 or higher (or 2018 SP3 Patch 7 or higher)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGEnforce strong password policy and review active user accounts with PI Server/PI Data Archive access; remove unnecessary service accounts.

HARDENINGImplement network segmentation: restrict access to PI Server and PI Data Archive to authorized engineering workstations and historian clients only. Use firewall rules to limit inbound traffic to required ports.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Server to version 2024 or higher (or PI Server 2018 SP3 Patch 7 or higher for older deployments). Obtain from OSIsoft Customer Portal and schedule during maintenance window.

CVEs (2)

CVE-2025-44019 CVE-2025-36539

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5111c470-5a07-4400-a835-0893561efeef