AVEVA PI Data Archive

Posted on Thursday June 12, 2025

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: AVEVA
• Equipment: PI Data Archive
• Vulnerabilities: Uncaught Exception, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could shut down necessary subsystems and cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PI Data Archive, as delivered by PI Server are affected:

• PI Data Archive: Versions 2018 SP3 Patch 4 and prior (CVE-2025-44019)
• PI Data Archive: Version 2023 (CVE-2025-44019, CVE-2025-36539)
• PI Data Archive: Version 2023 Patch 1 (CVE-2025-44019, CVE-2025-36539)
• PI Server: Versions 2018 SP3 Patch 6 and prior (CVE-2025-44019)
• PI Server: Version 2023 (CVE-2025-44019, CVE-2025-36539)
• PI Server: Version 2023 Patch 1 (CVE-2025-44019, CVE-2025-36539)

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCAUGHT EXCEPTION CWE-248

The affected products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service. Depending on the timing of the crash, data present in snapshots/write cache may be lost.

CVE-2025-44019 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2025-44019. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.2 UNCAUGHT EXCEPTION CWE-248

The affected products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service.

CVE-2025-36539 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-36539. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA Ethical Disclosure reported these vulnerabilities to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users with affected product versions should apply security updates to mitigate the risk of exploit.

(CVE-2025-44019, CVE-2025-36539) All affected versions of PI Data Archive and PI Server can be fixed by upgrading to PI Server 2024 or higher. From OSISoft Customer Portal, search for "AVEVA PI Server" and select version 2024 or higher.

(CVE-2025-44019) PI Data Archive 2018 SP3 Patch 4 and all prior and PI Server 2018 SP3 Patch 6 and all prior can alternatively be fixed by upgrading to PI Server 2018 SP3 Patch 7 or higher. From OSISoft Customer Portal, search for "AVEVA PI Server" and select Version 2018 SP3 Patch 7 or higher.

AVEVA further recommends users follow general defensive measures:

• Monitor liveness of PI Network Manager and PI Archive Subsystem services.
• Set the PI Network Manager and PI Archive Subsystem services to automatically restart.
• Limit Port 5450 access to trusted workstations and software.
• For a list of PI System firewall port requirements, see knowledge base article KB01162 - Firewall Port Requirements.
• Impact and severity of vulnerabilities can be reduced through industry accepted IT practices. Please consult your IT engineer for advice on how to best implement these firewall restrictions in your organization's architecture. OSIsoft technical support provides guidance on architectural approaches, backup procedures, network defenses, and operating system configuration.
• For a starting point on PI System security best practices, see knowledge base article KB00833 - Seven best practices for securing your PI Server.

For additional information please refer to AVEVA-2025-001.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 12, 2025: Initial Publication