PatchSiren cyber security CVE debrief
CVE-2024-3468 AVEVA CVE debrief
CVE-2024-3468 is a high-severity vulnerability in AVEVA PI Web API, published on 2024-06-11. The flaw allows malicious code execution on the PI Web API environment when an interactive user is socially engineered to import attacker-supplied XML content through the API's XML import functionality. The vulnerability requires network access, low attack complexity, low privileges, and user interaction, with high impact on confidentiality and integrity and low impact on availability (CVSS 3.1: 7.6). Affected versions are PI Web API 2023 and earlier. AVEVA has released PI Web API 2023 SP1 as the primary remediation, with alternative mitigations available for PI Web API 2021 SP3 through PI AF Client upgrades per AVEVA Security Bulletin AVEVA-2024-004. Additional configuration-based mitigations include disabling writes for read-only instances, uninstalling Core Endpoints when only OMF is needed, and limiting AF Server Administrator permissions.
- Vendor
- AVEVA
- Product
- PI Web API
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-11
- Original CVE updated
- 2024-06-11
- Advisory published
- 2024-06-11
- Advisory updated
- 2024-06-11
Who should care
Organizations operating AVEVA PI Web API in industrial control system environments, particularly those with external network exposure or multi-user access to API administrative functions. Critical infrastructure operators in energy, manufacturing, and process industries using PI System for operational data management. Security teams responsible for OT/ICS asset protection and patch management.
Technical summary
The vulnerability exists in the XML import functionality of AVEVA PI Web API. An attacker can supply malicious XML content that, when imported by a socially engineered interactive user, executes code with that user's privileges on the PI Web API host. The attack vector is network-based with low complexity, requiring low privileges but user interaction. The vulnerability affects confidentiality and integrity at high levels and availability at low levels. Root cause appears to be insufficient input validation or unsafe deserialization during XML import processing.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to AVEVA PI Web API 2023 SP1 or later via the OSIsoft Customer Portal
- For PI Web API 2021 SP3 deployments, upgrade PI AF Client per AVEVA Security Bulletin AVEVA-2024-004
- On read-only PI Web API instances, set DisableWrites configuration to true
- On data collection-only instances used with AVEVA Adapters, uninstall Core Endpoints feature while retaining OMF
- Restrict AF Server Administrator permissions to limit PI Web API user accounts' ability to modify backend AF servers
- Review AVEVA Security Bulletin AVEVA-2024-003 for additional guidance
- Apply network segmentation and access controls to limit exposure of PI Web API endpoints
- Implement user awareness training to reduce susceptibility to social engineering attacks targeting XML import functionality
Evidence notes
Vulnerability details and remediation guidance sourced from CISA ICS Advisory ICSA-24-163-02. CVE published and modified dates both 2024-06-11T06:00:00.000Z. Affected product confirmed as AVEVA PI Web API <=2023. Vendor fix available via OSIsoft Customer Portal. Alternative fix path documented through AVEVA-2024-004/ICSA-24-163-03.
Official resources
-
CVE-2024-3468 CVE record
CVE.org
-
CVE-2024-3468 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-11