CISA 2026-05-05

ABB B&R PVI

CVE-2026-0936

Machine-generated analysis · WAYSCloud LLM

Logging is disabled by default, limiting the exposure of this vulnerability. The issue only affects PVI client applications, not server components.

Context

ABB B&R PVI is an industrial software component used in the energy sector and deployed worldwide. The advisory describes an information disclosure vulnerability where authenticated local attackers could read credential data from client application logs. The logging function is disabled by default and requires explicit user activation.

Operator considerations

Check: Verify PVI client versions below 6.5.0
Patch: Upgrade to PVI 6.5.0
Log: Monitor for any unexpected logging activation on client systems

From Cybersecurity and Infrastructure Security Agency ↗

ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. An attacker who successfully exploited this vulnerability could read sensitive information in the logging data of the PVI client application. Logging is deactivated by default in all PVI client versions.

The following versions of ABB B&R PVI are affected:

PVI

Read the full advisory on CISA →