CVE-2016-8353 Osisoft CVE debrief

Who should care

Organizations running OSIsoft PI Web API 2015 R2 version 1.5.1, especially teams responsible for PI system administration, authentication, and external access controls. Security teams monitoring industrial or operational data exposure should also pay attention.

Technical summary

The NVD record maps the issue to a network-accessible authorization weakness (CWE-264) affecting cpe:2.3:a:osisoft:pi_web_api_2015_r2:1.5.1. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates that exploitation requires only low privileges, no user interaction, and can impact confidentiality and integrity across a changed scope. The published description is limited, so the safest interpretation is that access checks in PI Web API may be insufficient for some requests or resources.

Defensive priority

Medium

Recommended defensive actions

• Confirm whether PI Web API 2015 R2 version 1.5.1 is deployed anywhere in your environment.
• Review vendor and US-CERT guidance for ICSA-16-287-01 before making changes.
• Audit authorization rules, API authentication flows, and any exposed PI Web API endpoints for least-privilege access.
• Restrict network exposure of PI Web API to trusted hosts and management networks where possible.
• If supported by the vendor, upgrade or apply remediation guidance for affected PI Web API releases.
• Monitor logs for unexpected API access patterns, especially requests that succeed without the expected permissions.

Evidence notes

This debrief is based only on the supplied NVD/CVE corpus and linked references. The published record states that OSIsoft PI Web API 2015 R2 (1.5.1) may allow access to PI systems without proper permissions. NVD lists CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, CWE-264, and a vulnerable CPE for version 1.5.1. References in the corpus include a US-CERT advisory (ICSA-16-287-01) and SecurityFocus BID 93552.

Official resources