Summary
Successful exploitation of this vulnerability could allow an unauthenticated attacker to modify simulation parameters, training configuration and training records.
The following versions of AVEVA Pipeline Simulation are affected:
- Pipeline Simulation <=2025_SP1_build_7.1.9497.6351
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.1 | AVEVA | AVEVA Pipeline Simulation | Missing Authorization |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United Kingdom
Vulnerabilities
CVE-2026-5387
The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modification of simulation parameters, training configuration, and training records.
Affected Products
AVEVA Pipeline Simulation
AVEVA
AVEVA Pipeline Simulation: <=2025_SP1_build_7.1.9497.6351
known_affected
Remediations
Vendor fix
All affected versions can be fixed by upgrading to AVEVA Pipeline Simulation 2025 SP1 P01 (build 7.1.9580.8513) or higher. (https://softwaresupportsp.aveva.com/en-US/downloads/products/details/57b79fdb-7b5f-4125-8a44-833b6b5c6d6f)
https://softwaresupportsp.aveva.com/en-US/downloads/products/details/57b79fdb-7b5f-4125-8a44-833b6b5c6d6f
Mitigation
For more information, please see AVEVA’s security bulletin AVEVA-2026-004 (https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2026-004.pdf).
https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2026-004.pdf
Vendor fix
Restrict Network Access: Implement host-based and/or network firewall controls on all nodes hosting the Pipeline Simulation Server API to ensure that only trusted Pipeline Simulation client systems are permitted to establish connections.
Mitigation
Enforce Secure Communication: Enable TLS for all API communications and ensure that server certificates are properly managed and protected to reduce the risk of manipulator-in-the-middle(MitM) attacks and tampering with data in transit.
Relevant CWE: CWE-862 Missing Authorization
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Acknowledgments
- AVEVA reported this vulnerability to CISA
Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control s
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: