AVEVA PI Integrator
Plan PatchCVSS 7.6ICS-CERT ICSA-25-224-04Aug 12, 2025
AVEVA
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
AVEVA PI Integrator for Business Analytics contains two vulnerabilities: improper file upload handling (CWE-434) and sensitive information disclosure through file path traversal (CWE-201). An authenticated attacker can upload and execute arbitrary files to the server, or read restricted files by manipulating file paths during publication operations. The vulnerabilities affect PI Integrator for Business Analytics versions 2020 R2 SP1 and earlier. Versions 2020 R2 SP2 and higher contain the fix.
What this means
What could happen
An attacker with legitimate user access could upload and execute malicious files on the PI Integrator system or read sensitive process data, potentially compromising industrial asset history data or process configurations used by manufacturing and utility operations.
Who's at risk
Organizations running AVEVA PI Integrator for Business Analytics in manufacturing, utilities, and energy facilities rely on this system to publish and archive historical process data. System administrators, process engineers, and data analysts who have user accounts are at risk if they connect to an unpatched system, as their accounts could be compromised or manipulated to upload malicious files.
How it could be exploited
An attacker with valid user credentials logs into PI Integrator for Business Analytics and uploads a malicious file through a misconfigured publication target (Text File or HDFS output). The file executes with system privileges, or the attacker reads restricted files by manipulating file paths during the publish operation.
Prerequisites
- Valid PI Integrator user account credentials
- Access to the PI Integrator web interface or API
- Publication targets misconfigured to allow arbitrary file extensions or output to unprotected directories
Requires valid user credentials but those are often shared or reused across the organizationFile upload vulnerabilities typically have low exploitation complexity once access is gainedPI Integrator stores critical historical data about industrial processes, making information disclosure damagingNo authentication required for file extension bypass if default output folders are world-writable
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
PI Integrator for Business Analytics: <=2020_R2_SP1_.≤ 2020 R2 SP1 .2020 R2 SP2 or higher
Remediation & Mitigation
0/6
Do now
0/4HARDENINGRestrict file extensions allowed in Text File and HDFS publication targets to only safe types (CSV, TXT, etc.) and block executable extensions
HARDENINGConfigure publication target output folders to be isolated from system executable paths, critical application directories, and Windows system folders
HARDENINGAudit and restrict PI Integrator user permissions to the minimum required; ensure only trusted administrators can create or modify publication targets
HARDENINGRestrict network access to PI Integrator to the internal business network; do not expose the web interface to the internet or untrusted networks
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade PI Integrator for Business Analytics to version 2020 R2 SP2 or higher
Long-term hardening
0/1HARDENINGApply Windows Defender Application Control (WDAC) policies on PI Integrator servers to restrict execution to authorized binaries only
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/64ce6caf-205f-4957-89e5-f00fff2856d1Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.