CVE-2024-3467

Deserialization of Untrusted Data in AVEVA PI Asset Framework Client

Description

There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.

Remediation

Solution:

  • AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible: * (Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later: From OSI Soft Customer Portal https://my.osisoft.com/ , search for "Asset Framework" and select "PI Asset Framework (AF) Client 2023 Patch 1" or later. * (Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later: From OSI Soft Customer Portal https://my.osisoft.com/ , search for "Asset Framework" and select either "PI Asset Framework (AF) Client 2018 SP3 Patch 5" or later. AVEVA further recommends users follow general defensive measures: * Run PI System Explorer as a least privilege interactive account when possible. * Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer. For additional information please refer to AVEVA-2024-004 https://www.aveva.com/en/support-and-success/cyber-security-updates/

Category

7.0
CVSS
Severity: High
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.03%
Third-Party Advisory cisa.gov
Affected: AVEVA PI Asset Framework Client
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03 government resource third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2024-3467?
CVE-2024-3467 has been scored as a high severity vulnerability.
How to fix CVE-2024-3467?
To fix CVE-2024-3467: AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible: * (Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later: From OSI Soft Customer Portal https://my.osisoft.com/ , search for "Asset Framework" and select "PI Asset Framework (AF) Client 2023 Patch 1" or later. * (Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later: From OSI Soft Customer Portal https://my.osisoft.com/ , search for "Asset Framework" and select either "PI Asset Framework (AF) Client 2018 SP3 Patch 5" or later. AVEVA further recommends users follow general defensive measures: * Run PI System Explorer as a least privilege interactive account when possible. * Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer. For additional information please refer to AVEVA-2024-004 https://www.aveva.com/en/support-and-success/cyber-security-updates/
Is CVE-2024-3467 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-3467 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-3467?
CVE-2024-3467 affects AVEVA PI Asset Framework Client.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.