View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.2
• ATTENTION: Exploitable remotely/Low attack complexity
• Vendor: Dover Fueling Solutions
• Equipment: ProGauge MagLink LX consoles
• Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker gaining control of the monitoring device, manipulating fueling operations, deleting system configurations, or deploying malware.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ProGauge MagLink LX, a fuel and water tank monitor, are affected:

• ProGauge MagLink LX 4: Versions prior to 4.20.3
• ProGauge MagLink LX Plus: Versions prior to 4.20.3
• ProGauge MagLink LX Ultimate: Versions prior to 5.20.3

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The device exposes an undocumented and unauthenticated Target Communication Framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution.

CVE-2025-5310 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-5310. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Souvik Kandar of Microsec (microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

Dover Fueling Solutions recommends users update their ProGauge MagLink devices to Version 4.20.3 or later for MagLink LX 4 and MagLink LX Plus models. The upgrade can be downloaded from the Dover Fueling Solutions website.

For MagLink LX Ultimate devices, Dover Fueling Solutions recommends users update to version 5.20.3 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 17, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: Fuji Electric
• Equipment: Smart Editor
• Vulnerabilities: Out-of-bounds Read, Out-of-bounds Write, Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Fuji Electric products are affected:

• Smart Editor: Versions 1.0.1.0 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

The affected product is vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.

CVE-2025-32412 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-32412. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

The affected product is vulnerable to an out-of-bounds write, which may allow an attacker to execute arbitrary code.

CVE-2025-41413 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-41413. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code.

CVE-2025-41388 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-41388. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

kimiya working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Fuji Electric recommends users update to Smart Editor v1.0.2.0 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• June 17, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: LS Electric
• Equipment: GMWin 4
• Vulnerabilities: Out-of-Bounds Write, Out-of-Bounds Read, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of LS Electric GMWin 4, a programming software tool, are affected:

• GMWin 4: Version 4.18

3.2 VULNERABILITY OVERVIEW

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

A Heap-based Buffer Overflow vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.

CVE-2025-49850 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-49850. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS READ CWE-125

An Out-of-bounds Read vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.

CVE-2025-49849 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-49849. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 OUT-OF-BOUNDS WRITE CWE-787

An Out-of-bounds Write vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.

CVE-2025-49848 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-49848. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

LS Electric GMWin 4 has been discontinued and is no longer available for service. LS electric recommends users to use the XGT series as a replacement.

For more information, contact LS Electric.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• June 17, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 4.6
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Mendix Studio Pro
• Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to write or modify arbitrary files in directories outside a developer's project directory.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following versions of Mendix Studio Pro integrated development environment are affected:

• Siemens Mendix Studio Pro 8: Versions prior to V8.18.35
• Siemens Mendix Studio Pro 9: Versions prior to V9.24.35
• Siemens Mendix Studio Pro 10: Versions prior to V10.23.0
• Siemens Mendix Studio Pro 10.6: Versions prior to V10.6.24
• Siemens Mendix Studio Pro 10.12: Versions prior to V10.12.17
• Siemens Mendix Studio Pro 10.18: Versions prior to V10.18.7
• Siemens Mendix Studio Pro 11: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer's project directory upon module installation.

CVE-2025-40592 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40592. A base score of 4.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released new versions for several affected products and recommends users update to the latest versions. Siemens is preparing further fixed versions and recommends specific countermeasures for products where fixes are not, or not yet, available:

• Mendix Studio Pro 8: Update to V8.18.35 or later version.
• Mendix Studio Pro 9: Update to V9.24.35 or later version.
• Mendix Studio Pro 10: Update to V10.23.0 or later version.
• Mendix Studio Pro 10.6: Update to V10.6.24 or later version.
• Mendix Studio Pro 10.12: Update to V10.12.17 or later version.
• Mendix Studio Pro 10.18: Update to V10.18.7 or later version.
• Mendix Studio Pro 11: Currently no fix is available.

Siemens recommends that users do not install untrusted/unverified modules in Studio Pro projects.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-627195 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• June 17, 2025: Initial Republication of Siemens SSA-627195

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Low attack complexity
• Vendor: AVEVA
• Equipment: PI Connector for CygNet
• Vulnerabilities: Cross-site Scripting, Improper Validation of Integrity Check Value

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to persist arbitrary code in the administrative portal of the product or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PI Connector for CygNet are affected:

• PI Connector for CygNet: Version 1.6.14 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79

A cross-site scripting vulnerability exists in PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by other users who visit affected pages.

CVE-2025-4417 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-4417. A base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N).

3.2.2 Improper Validation of Integrity Check Value CWE-354

An improper validation of integrity check value vulnerability exists in PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow a miscreant with elevated privileges to modify PI Connector for CygNet local data files (cache and buffers) in a way that causes the connector service to become unresponsive.

CVE-2025-4418 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-4418. A base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA Ethical Disclosure reported these vulnerabilities to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users of affected product versions should apply security updates to mitigate the risk of exploit.

All affected versions of PI Connector for CygNet can be fixed by upgrading to PI Connector for CygNet v1.7.0 or higher. From OSISoft Customer Portal, search for "PI Connector for CygNet" and select Version 1.7.0 or higher.

AVEVA further recommends users follow general defensive measures:

• Ensure that PI Connector for CygNet administrative access is only provided to trusted entities.
• Audit custom installation folder Access Control Lists (ACLs) to ensure access is only provided to trusted entities.
• Audit and limit membership to the OS Local "Administrators" and "PI Connector Administrators" groups.

For additional information please refer to AVEVA-2025-002.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• June 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: AVEVA
• Equipment: PI Data Archive
• Vulnerabilities: Uncaught Exception, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could shut down necessary subsystems and cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PI Data Archive, as delivered by PI Server are affected:

• PI Data Archive: Versions 2018 SP3 Patch 4 and prior (CVE-2025-44019)
• PI Data Archive: Version 2023 (CVE-2025-44019, CVE-2025-36539)
• PI Data Archive: Version 2023 Patch 1 (CVE-2025-44019, CVE-2025-36539)
• PI Server: Versions 2018 SP3 Patch 6 and prior (CVE-2025-44019)
• PI Server: Version 2023 (CVE-2025-44019, CVE-2025-36539)
• PI Server: Version 2023 Patch 1 (CVE-2025-44019, CVE-2025-36539)

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCAUGHT EXCEPTION CWE-248

The affected products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service. Depending on the timing of the crash, data present in snapshots/write cache may be lost.

CVE-2025-44019 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2025-44019. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.2 UNCAUGHT EXCEPTION CWE-248

The affected products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service.

CVE-2025-36539 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-36539. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA Ethical Disclosure reported these vulnerabilities to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users with affected product versions should apply security updates to mitigate the risk of exploit.

(CVE-2025-44019, CVE-2025-36539) All affected versions of PI Data Archive and PI Server can be fixed by upgrading to PI Server 2024 or higher. From OSISoft Customer Portal, search for "AVEVA PI Server" and select version 2024 or higher.

(CVE-2025-44019) PI Data Archive 2018 SP3 Patch 4 and all prior and PI Server 2018 SP3 Patch 6 and all prior can alternatively be fixed by upgrading to PI Server 2018 SP3 Patch 7 or higher. From OSISoft Customer Portal, search for "AVEVA PI Server" and select Version 2018 SP3 Patch 7 or higher.

AVEVA further recommends users follow general defensive measures:

• Monitor liveness of PI Network Manager and PI Archive Subsystem services.
• Set the PI Network Manager and PI Archive Subsystem services to automatically restart.
• Limit Port 5450 access to trusted workstations and software.
• For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements.
• Impact and severity of vulnerabilities can be reduced through industry accepted IT practices. Please consult your IT engineer for advice on how to best implement these firewall restrictions in your organization's architecture. OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration.
• For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server.

For additional information please refer to AVEVA-2025-001.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 4.5
• ATTENTION: Exploitable remotely
• Vendor: AVEVA
• Equipment: PI Web API
• Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to disable content security policy protections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA PI Web API are affected:

• PI Web API: Versions 2023 SP1 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

A cross-site scripting vulnerability exists in PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or upload media files) to persist arbitrary JavaScript code that will be executed by users who were socially engineered to disable content security policy protections while rendering annotation attachments from within a web browser.

CVE-2025-2745 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-2745. A base score of 4.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA Ethical Disclosure reported this vulnerability to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users of affected product versions should apply security updates to mitigate the risk of exploit.

From OSISoft Customer Portal, search for "PI Web API" and select version 2023 SP1 Patch 1 or higher.

AVEVA further recommends users follow general defensive measures:

• Review and update the file extensions allowlist for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, ...).
• Consider implementing IT policies that would prevent users from subverting/disabling content security policy browser protections.
• Inform PI Web API users that annotation attachments should be retrieved through direct REST requests to PI Web API rather than rendering them in the browser interface.
• Audit assigned privileges to ensure that only trusted users are given "Annotate" access rights.

For additional information please refer to AVEVA-2025-003.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• June 12, 2025: Initial Publication

Today, CISA released Cybersecurity Advisory: Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider.

This advisory is in response to ransomware actors targeting customers of a utility billing software provider through unpatched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM).

This incident is part of a broader trend of ransomware actors exploiting unpatched versions of SimpleHelp RMM since January 2025.

SimpleHelp versions 5.5.7 and earlier contain multiple vulnerabilities, including CVE-2024-57727, a path traversal vulnerability. Ransomware actors likely exploited CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM, resulting in service disruptions and double extortion incidents.

CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities Catalog on February 13, 2025.

Organizations using SimpleHelp RMM should: 

• Search for evidence of compromise,
• Apply the mitigations outlined in the advisory such as patching CVE-2024-57727 and/or implementing appropriate workarounds to prevent or respond to confirmed or potential compromises, and
• Follow CISA’s Known Exploited Vulnerabilities Catalog.

CISA released ten Industrial Control Systems (ICS) advisories on June 12, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-162-01 Siemens Tecnomatix Plant Simulation
• ICSA-25-162-02 Siemens RUGGEDCOM APE1808
• ICSA-25-162-03 Siemens SCALANCE and RUGGEDCOM
• ICSA-25-162-04 Siemens SCALANCE and RUGGEDCOM
• ICSA-25-162-05 Siemens SIMATIC S7-1500 CPU Family
• ICSA-25-162-06 Siemens Energy Services
• ICSA-25-162-07 AVEVA PI Data Archive
• ICSA-25-162-08 AVEVA PI Web API
• ICSA-25-162-09 AVEVA PI Connector for CygNet
• ICSA-25-162-10 PTZOptics and Other Pan-Tilt-Zoom Cameras

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.