CISA 2026-04-16

AVEVA Pipeline Simulation

CVE-2026-5387

Machine-generated analysis · WAYSCloud LLM

An unauthenticated attacker can escalate to administrative roles in AVEVA Pipeline Simulation by exploiting a missing authorization check. The vulnerability affects simulation parameters, training configuration, and training records.

Context

AVEVA Pipeline Simulation is a software product used in critical manufacturing sectors worldwide. The advisory states that a missing authorization vulnerability allows unauthenticated attackers to perform operations reserved for Simulator Instructor or Developer roles. The vendor has provided a specific fixed build version for remediation.

Operator considerations

Check: Inventory all instances of AVEVA Pipeline Simulation version 2025_SP1_build_7.1.9497.6351 or earlier.
Isolate: Restrict network access to Pipeline Simulation Server API using host-based or network firewall controls to only trusted clients.
Patch: Upgrade to AVEVA Pipeline Simulation 2025 SP1 P01 (build 7.1.9580.8513) or higher.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of this vulnerability could allow an unauthenticated attacker to modify simulation parameters, training configuration and training records.

The following versions of AVEVA Pipeline Simulation are affected:

Pipeline Simulation

Read the full advisory on CISA →