PatchSiren cyber security CVE debrief
CVE-2026-1495 AVEVA CVE debrief
CVE-2026-1495 is an information-disclosure issue in AVEVA PI to CONNECT Agent. According to CISA’s CSAF advisory, a user with Windows Event Log Reader privileges can recover proxy details, including the proxy URL and credentials, from PI to CONNECT event log files. That exposure could let an attacker use the proxy server without authorization. AVEVA’s guidance is to upgrade affected systems and review existing logs for sensitive proxy data.
- Vendor
- AVEVA
- Product
- PI to CONNECT Agent
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-10
- Original CVE updated
- 2026-02-10
- Advisory published
- 2026-02-10
- Advisory updated
- 2026-02-10
Who should care
Organizations running AVEVA PI to CONNECT Agent, especially OT/ICS teams, Windows administrators who manage event log access, and security teams responsible for proxy credentials and log hygiene. Environments where Event Log Reader membership is broad or shared should treat this as a higher-priority exposure.
Technical summary
The advisory describes a local confidentiality issue with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. A user in the Event Log Reader group (S-1-5-32-573) may be able to read proxy URL and credential material from PI to CONNECT event log files. The source remediation guidance says affected versions are fixed by upgrading to PI to CONNECT Agent v2.5.2790 or higher and recommends reviewing live, backup, and copied logs for exposed proxy connection details.
Defensive priority
Medium. Prioritize remediation on any host where PI to CONNECT Agent is deployed, and elevate urgency if event log access is not tightly restricted or if proxy credentials may already be present in retained logs.
Recommended defensive actions
- Upgrade PI to CONNECT Agent to v2.5.2790 or later, as recommended in the advisory.
- Review existing PI to CONNECT event logs, including live logs, backups, and copied archives, for exposed proxy URLs or credentials.
- Purge sensitive proxy data from any affected logs and rotate proxy credentials if exposure is found.
- Limit Event Log Reader (S-1-5-32-573) membership to trusted users only on hosts running PI to CONNECT Agent.
- Remove plaintext passwords from proxy URLs where possible, or use least-privilege proxy credentials.
- Validate the deployment against AVEVA’s advisory and apply the vendor guidance based on your specific operational environment.
Evidence notes
The debrief is based on the CISA CSAF advisory ICSA-26-041-04 for AVEVA PI to CONNECT Agent and the linked official references. The source states that Event Log Reader privileges can expose proxy details from event logs, and that upgrading to v2.5.2790+ mitigates the issue. The source also includes a remediation entry with a malformed download URL; this debrief relies on the advisory text and the official AVEVA/CISA references instead.
Official resources
-
CVE-2026-1495 CVE record
CVE.org
-
CVE-2026-1495 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF advisory ICSA-26-041-04 on 2026-02-10, republishing AVEVA-2026-003.