CVE-2026-5387

CRITICAL

AVEVA Pipeline Simulation Missing Authorization

Title source: cna

Description

The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modification of simulation parameters, training configuration, and training records.

References (4)

Core 4

Core References

https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2026-004.pdf

https://softwaresupportsp.aveva.com/en-US/downloads/products/details/57b79fdb-7b5f-4125-8a44-833b6b5c6d6f

https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-04

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-04.json

Scores

CVSS v4 9.3

EPSS 0.0039

EPSS Percentile 30.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-862

Status published

Products (1)

AVEVA/Pipeline Simulation 2025 < 2025 SP1 (build 7.1.9497.6351)

Published Apr 15, 2026

Tracked Since Apr 15, 2026