ABB B&R PVI Sensitive Information Logging Vulnerability

ABB became aware of a vulnerability in ABB B&R PVI client versions prior to 6.5.0 (CVE-2026-0936). An attacker who successfully exploits this vulnerability could read sensitive information, including credentials, in the logging data of the PVI client application. It is important to note that logging is deactivated by default in all PVI client versions. However, if a user explicitly enables logging for troubleshooting or debugging purposes, the application may write sensitive information to log files, which can be accessed by a local attacker with appropriate privileges. This vulnerability affects the energy sector primarily, with deployments worldwide. ABB recommends that customers apply the update to version 6.5.0 at their earliest convenience.

Attack Chain

1. The attacker gains local access to a system with an affected version of ABB B&R PVI (<6.5.0) installed.
2. The attacker identifies that PVI client-side application logging is enabled. Note: This is not enabled by default.
3. The attacker locates the log files generated by the PVI client application. The storage path is user-defined when enabling logging.
4. The attacker reads the log files, searching for sensitive information such as usernames, passwords, or API keys that the PVI client application processed and inadvertently wrote to the logs.
5. The attacker uses the extracted credentials to gain unauthorized access to systems or data accessible by the PVI client application.
6. The attacker may escalate privileges using the compromised credentials depending on the permissions associated with the compromised account.

Impact

Successful exploitation of CVE-2026-0936 allows a local attacker to potentially obtain sensitive information, including credentials, that are logged by the ABB B&R PVI client application. The logging function is not enabled by default, which reduces the attack surface. However, if logging is enabled for troubleshooting purposes, the application may inadvertently log sensitive data. The impact is primarily on the energy sector due to the use of ABB B&R PVI in industrial control systems. An attacker could potentially use the compromised credentials to gain unauthorized access to control systems, potentially leading to disruption of operations or data breaches.

Recommendation

• Upgrade ABB B&R PVI to version 6.5.0 or later to remediate CVE-2026-0936.
• If upgrading is not immediately feasible, ensure that PVI client-side application logging is disabled unless required for troubleshooting (CVE-2026-0936).
• If logging is enabled, ensure the storage path for the log files is properly secured to restrict access to only authorized users as mentioned in the advisory’s mitigation steps (CVE-2026-0936).
• Enable Sysmon process creation logging to detect potential unauthorized access or privilege escalation attempts following credential compromise and deploy the provided sigma rule to your SIEM.
• Regularly review and securely delete client-side logging information when it is no longer needed as a general security best practice (CVE-2026-0936).