Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerability in OSIsoft PI System Can Facilitate Attacks on Critical Infrastructure

A stored cross-site scripting (XSS) vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.

A stored cross-site scripting (XSS) vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.

OSIsoft PI System is a data management platform that delivers plant monitoring and analysis capabilities. According to the vendor’s website, PI System has been deployed at over 19,000 sites around the world across various industries, including power, oil and gas, manufacturing, and mining.

Researchers at industrial cybersecurity company OTORIO discovered that the PI Web API 2019 component of PI System is affected by a stored XSS vulnerability that allows an attacker with limited privileges on the targeted system to conduct various types of activities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory for this flaw, which is tracked as CVE-2020-12021 and which impacts version and prior. OSIsoft has released a patch for the security hole and it has advised customers to take steps to minimize the risk of attacks.

Dor Yardeni, incident response team leader at OTORIO, told SecurityWeek that in order to exploit this vulnerability an external attacker somehow needs to gain access to PI Server, the data storage and distribution engine that powers PI System. Once they have access to PI Server, the attacker can exploit the stored XSS vulnerability to inject arbitrary JavaScript code into vulnerable fields in PI Server. Alternatively, an attacker could try to convince an insider to inject the code.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Once the malicious code has been injected, the attacker needs to wait for a user with elevated privileges to use the vulnerable PI Web API and pass their cursor over the infected fields, which results in the code getting executed in the victim’s browser. The attacker can inject code that, when executed, displays a phishing page designed to steal the victim’s credentials.

According to Yardeni, the hacker can then use these credentials for a wide range of activities, including to tamper with data that comes from the plant and make engineers or operators believe that everything is operating normally when in fact it’s not (e.g. a boiler’s real temperature could be 100°C and the application will only show 50°C). The attacker can also delete historical plant data, or use the compromised credentials to hack other plant resources that are accessible to the targeted user.

The vulnerability can also be exploited to inject code designed for page keylogging, stealing cookies, redirecting users to other websites, changing data on the infected page, and stealing browsing information (e.g. internal IP, browser version, etc.).

“If the attacker has high credentials he or she doesn’t need to exploit the vulnerability. They can get access to the production floor with the high credentials alone,” Yardeni explained. “But if the attacker obtained only weak credentials, with ‘write’ permissions, he/she would be able to exploit the vulnerability to obtain higher credentials and then have access to the entire production environment.”

OTORIO has released a video showing how an attacker could exploit this vulnerability for phishing:

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Related: OSIsoft Warns Employees, Contractors of Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.