OTPulse
FeedAboutContact

AVEVA PI to CONNECT Agent

Monitor6.5ICS-CERT ICSA-26-041-04Feb 10, 2026
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

PI to CONNECT Agent versions v2.4.2520 and earlier expose proxy server connection credentials (username and password) in plaintext within event logs. These logs are created automatically during normal operation and may be retained in live systems, backups, and archived copies. An attacker with read access to these logs can extract valid proxy credentials and use them to access the proxy service and connected systems without authorization or audit trail.

What this means
What could happen
An attacker with access to PI to CONNECT Agent event logs could obtain proxy server credentials, potentially allowing unauthorized access to the proxy and any systems it connects to. This could compromise data integrity across your entire PI infrastructure.
Who's at risk
Organizations running AVEVA PI to CONNECT Agent (versions 2.4.2520 or earlier) in data integration or cloud connectivity roles. This primarily affects utilities and industrial plants using PI for real-time data collection and storage. The risk is highest if logs are stored centrally, backed up, or transmitted to log management systems.
How it could be exploited
An attacker who can read event logs on the machine where PI to CONNECT Agent runs (via local access, log aggregation systems, or compromised backups) will find plaintext proxy credentials in the logs. These credentials can then be used to access the proxy server without detection.
Prerequisites
  • Local or remote read access to PI to CONNECT Agent event logs (live, backup, or archived copies)
  • Affected product version v2.4.2520 or earlier installed
No authentication required to read logsLow complexity exploitationDefault logging behavior exposes credentialsAffects data integration and connectivity infrastructure
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
PI to CONNECT Agent: <=v2.4.2520≤ v2.4.2520v2.5.2790 or higher
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDReview and purge proxy credentials from existing event logs (live copies, backups, and archives)
HARDENINGRotate credentials for proxy service access on all systems that may have been exposed in logs
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI to CONNECT Agent to v2.5.2790 or higher
Long-term hardening
0/1
HARDENINGImplement log access controls to restrict who can view event logs containing sensitive connection details
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3c04dc43-23f3-4223-80a5-22eab273ec57
AVEVA PI to CONNECT Agent | CVSS 6.5 - OTPulse