AVEVA PI Connector for CygNet

Monitor5.5ICS-CERT ICSA-25-162-09Jun 12, 2025

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

AVEVA PI Connector for CygNet versions 1.6.14 and earlier contain a stored code injection vulnerability (CWE-79) in the administrative portal that allows a high-privilege local attacker to inject persistent malicious code, and a denial-of-service issue (CWE-354). Exploitation requires local system access as an administrator or PI Connector Administrator, and user interaction when an administrator accesses the portal. The attack vector is local with high privilege requirement, low attack complexity, and significant integrity impact on the administrative interface.

What this means

What could happen

An attacker with high-privilege local access could inject persistent malicious code into the administrative portal, compromising the integrity of process data displayed to operators, or trigger a denial-of-service condition that disrupts monitoring of connected CygNet equipment.

Who's at risk

Water utilities and municipal electric systems using AVEVA PI Connector for CygNet to monitor or control networked equipment should be aware of this vulnerability. It affects organizations that rely on the PI Connector administrative portal for remote or local monitoring of process data from CygNet systems. This is primarily a concern for utilities that have granted local system access to operators or maintenance personnel on PI Connector servers.

How it could be exploited

An attacker must first gain local system access as an administrator or member of the PI Connector Administrators group on the machine running PI Connector for CygNet. They can then inject code through the administrative portal interface that persists and executes when administrators access the portal, or trigger conditions that cause the service to become unavailable.

Prerequisites

Local system access required
High-privilege credentials (Windows Administrator or PI Connector Administrators group membership)
User interaction required (administrator must access the portal)
Custom installation folder write access or ACL misconfiguration

requires local system accessrequires high-privilege credentialsuser interaction requiredaffects administrative interfacesno patch available for end-of-life versions

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

PI Connector for CygNet: <=1.6.14≤ 1.6.141.7.0 or higher

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDRestrict administrative access to PI Connector for CygNet to trusted personnel only

WORKAROUNDAudit and restrict membership in OS Local 'Administrators' and 'PI Connector Administrators' groups to minimize local privilege

HARDENINGReview and harden custom installation folder Access Control Lists (ACLs) to ensure only authorized users can modify files

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Connector for CygNet to version 1.7.0 or higher

CVEs (2)

CVE-2025-4417 CVE-2025-4418

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/391b6c99-3fda-4318-89d2-169c4ccb0a24