AVEVA Pipeline Simulation

Plan PatchCVSS 9.1ICS-CERT ICSA-26-106-04Apr 16, 2026

AVEVAOil & gas

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AVEVA Pipeline Simulation contains an authorization bypass vulnerability (CWE-862) that allows an unauthenticated attacker to modify simulation parameters, training configuration, and training records. The issue affects versions 2025 SP1 build 7.1.9497.6351 and earlier. The vulnerability is remotely exploitable over the network with no authentication required and low complexity.

What this means

What could happen

An attacker could modify simulation parameters and training records without authentication, potentially corrupting operator training data or creating misleading simulation scenarios. This could degrade the effectiveness of operator training programs and introduce inaccurate operational reference data.

Who's at risk

Oil and gas operators using AVEVA Pipeline Simulation for operator training and process simulation. This particularly affects training departments that rely on simulation systems to prepare operators and maintain accurate training records and scenario configurations.

How it could be exploited

An attacker with network access to the Pipeline Simulation Server API can craft requests to modify simulation parameters, training configuration, and training records without providing any credentials. The API lacks proper access controls, allowing unauthorized modifications of critical training and simulation data.

Prerequisites

Network access to the Pipeline Simulation Server API endpoint
No credentials required

remotely exploitableno authentication requiredlow complexityaffects training/simulation data integrity

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Pipeline Simulation≤ 2025 SP1 build 7.1.9497.6351Fix available

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the Pipeline Simulation Server API using host-based and network firewall rules to allow connections only from trusted Pipeline Simulation client systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AVEVA Pipeline Simulation to version 2025 SP1 P01 (build 7.1.9580.8513) or higher

HARDENINGEnable TLS encryption for all API communications and ensure server certificates are properly managed and protected

CVEs (1)

CVE-2026-5387

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/57bd22a7-aa9b-4399-9efb-eb70e0d9078b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.