OTPulse
FeedAboutContact

AVEVA PI Web API

Monitor6.5ICS-CERT ICSA-25-162-08Jun 12, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary

PI Web API versions 2023 SP1 and earlier contain a cross-site scripting (XSS) vulnerability in annotation attachment handling that allows an authenticated user to bypass content security policy protections. By uploading a malicious annotation attachment (such as an SVG or PDF file), an attacker can inject script that executes when other users view the annotation in the web interface, potentially compromising session security and operator visibility of critical process data.

What this means
What could happen
An attacker with user credentials could bypass content security policy protections in PI Web API through annotation attachments, allowing them to inject malicious content that could compromise the integrity of data displayed to plant operators.
Who's at risk
Data analysts and plant engineers who use AVEVA PI Web API for process data visualization and annotation. This affects any organization relying on PI Web API versions 2023 SP1 or earlier for SCADA data trending, reporting, or real-time monitoring dashboards.
How it could be exploited
An attacker with valid PI Web API user credentials uploads a specially crafted annotation attachment (such as an SVG file) that contains malicious script. When another user views the annotation in the web interface, the content security policy is bypassed and the script executes in the user's browser, potentially allowing credential theft or session hijacking.
Prerequisites
  • Valid PI Web API user account with Annotate permission
  • Target user must view the malicious annotation attachment in the PI Web API browser interface
  • High attack complexity - requires user interaction and specific file type handling
  • PI Web API version 2023 SP1 or earlier
Requires valid user credentials with Annotate permissionRequires user interaction (viewing annotation in browser)High attack complexityAffects web-based data visualization used by operators and engineers
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
PI Web API: <=2023_SP1≤ 2023 SP12023 SP1 Patch 1 or higher
Remediation & Mitigation
0/6
Do now
0/3
WORKAROUNDReview and restrict file extensions allowed for annotation attachments (remove svg, pdf, and other file types that could contain scripts)
WORKAROUNDConfigure IT policy to prevent users from disabling browser content security policy protections
WORKAROUNDInstruct PI Web API users to retrieve annotation attachments through REST API requests instead of rendering them in the web browser
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PI Web API to version 2023 SP1 Patch 1 or higher
Long-term hardening
0/2
HARDENINGAudit and restrict Annotate permission in PI Web API to only trusted users who require it
HARDENINGIsolate PI Web API from the internet and locate it behind a firewall on a network segment separate from business networks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/a1e667fd-d65d-43a0-a188-7b23cd93dcb0
AVEVA PI Web API | CVSS 6.5 - OTPulse