Summary
This document is a security bulletin detailing a vulnerability in the PI Asset Framework (AF) Client, specifically addressing the deserialization of untrusted data. The bulletin outlines the potential for local code execution due to insecure deserialization, which could allow malicious code to execute within the PI System Explorer environment. The vulnerability affects specific versions of the PI AF Client, including 2023 and 2018 SP3 P04 and earlier. Recommendations are provided for organizations to evaluate the impact of these vulnerabilities and apply security updates promptly. Additionally, general defensive measures are suggested, such as running the PI System Explorer with least privilege and verifying the trustworthiness of XML sources before import. The bulletin also mentions the availability of security update downloads and acknowledges contributions from various organizations in coordinating advisories and generating CVEs.
