Pilz: Vulnerability affecting PASvisu Runtime

Plan PatchCVSS 7.5PPSA-2026-002Apr 23, 2026

Pilz

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

PASvisu Runtime is vulnerable to denial of service via malicious web requests due to a flaw in a third-party component. An attacker with network access to the PASvisu server can exploit this vulnerability, causing the runtime to become unresponsive and disrupting access to visualization and control interfaces.

What this means

What could happen

A malicious web request can cause PASvisu Runtime to become unresponsive or crash, disrupting access to safety-critical visualization and control interfaces in your automation system.

Who's at risk

Pilz safety automation systems running PASvisu Runtime, including PMIv7xx and PMIv8xx controllers that provide visualization and safety logic interfaces. Any facility using these devices for process monitoring or safety-critical decision support should prioritize updates.

How it could be exploited

An attacker with network access to the PASvisu server can send a specially crafted web request that exploits a flaw in a third-party component, causing the runtime to stop responding to legitimate requests.

Prerequisites

Network access to PASvisu server (typically port 80/443 or custom web port)
No authentication required

remotely exploitableno authentication requiredlow complexity

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

PMIv7xxe≤ 1.15.11.16.0

PMIv8xx≤ 1.15.11.16.0

PASvisu <=1.15.1≤ 1.15.11.16.0

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to PASvisu server using firewall rules—allow only connections from authorized engineering workstations and SCADA networks, block direct internet access

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

PMIv8xx

HOTFIXUpdate PMIv8xx firmware using PMI v8 Assistant version 2.3.0 or later

All products

HOTFIXUpdate PASvisu to version 1.16.0 or later

HOTFIXUpdate PMIv7xx firmware to version containing visu 1.16.0 (Firmware PMI v70Xe visu 1.16.0, 04.00.00)

CVEs (1)

CVE-2018-25193

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6c25fa8d-5871-4c30-add2-ebf8742b4531

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.