# ABB B&R PVI Client Logging Flaw Exposes Credentials to Local Attackers
## The Threat
ABB has disclosed a vulnerability in its B&R PVI (Programming Environment for Visualization and Interface) client application that could allow authenticated local attackers to harvest sensitive credential information through the application's logging mechanism. The flaw, tracked as CVE-2026-0936, affects the client-side logging functionality of the industrial automation software, enabling attackers with local system access to extract authentication details processed by the PVI client during normal operations.
PVI is a critical component of ABB's B&R automation platform, widely deployed in industrial control systems across energy, manufacturing, and other critical infrastructure sectors worldwide. While ABB emphasizes that logging is disabled by default and must be explicitly activated by users, the vulnerability presents a significant risk in environments where administrators have enabled client-side logging for troubleshooting or forensic purposes—a common practice in operational technology environments.
The vulnerability underscores a broader security concern in industrial automation software: the tension between operational visibility (which requires logging) and security posture (which demands that sensitive data not be written to disk in plaintext). Organizations relying on PVI for system management and diagnostics now face a critical choice: upgrade immediately or carefully manage which systems have logging enabled.
## Severity and Impact
| Attribute | Details |
|---|---|
| CVE Identifier | CVE-2026-0936 |
| CVSS v3.1 Score | 5.0 (MEDIUM) |
| CVSS Vector | AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low (authenticated user) |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | None |
| Availability Impact | None |
| CWE Classification | CWE-532: Insertion of Sensitive Information into Log File |
The CVSS score of 5.0 reflects a medium-severity vulnerability with limited attack surface. The attacker must already have local system access and valid credentials to the affected system, and user interaction is required to trigger the vulnerability. However, the "high" confidentiality impact rating reflects the sensitivity of the data at risk—credentials processed by PVI could grant access to critical industrial control systems if compromised.
## Affected Products
ABB B&R PVI:
Important Note: PVI is distributed as part of the Automation Studio installation package and shares version numbering with its parent release. Organizations running Automation Studio should check the bundled PVI version to determine if their installation is affected. A patch is available that addresses this vulnerability completely.
## Mitigations
### Immediate Actions
1. Apply the Security Update
ABB recommends that all customers upgrade to PVI 6.5.0 or later at the earliest convenience. The update is available through standard ABB channels and is included in the corresponding Automation Studio 6.5.0 release. Organizations should consult the user manual for step-by-step upgrade procedures and product version identification tools.
2. Verify Your Current Version
Before deploying patches, determine which version of PVI is currently installed. The Automation Studio user manual contains instructions for identifying the installed version on each system.
### Compensating Controls (If Immediate Patching Is Not Possible)
3. Disable Client-Side Logging
Since logging is disabled by default, the most direct mitigation is to ensure it remains disabled on all PVI client systems unless explicitly required. If logging must be enabled for troubleshooting or debugging, limit it to the minimum duration necessary and disable it immediately after diagnostics are complete.
4. Restrict Log File Access
If client-side logging is enabled, implement strict file system permissions ensuring that only the respective user account has read/write access to log file directories. Prevent unprivileged users from accessing log storage paths.
5. Secure Log Retention and Deletion
Establish a policy requiring secure deletion of all client-side logging data after it is no longer needed for operational purposes. Standard file deletion may not suffice; consider cryptographic erasure or verified secure deletion tools to prevent log file recovery.
6. Network Segmentation
This vulnerability affects only the PVI client-side application logging and does not impact the PVI server component's security logging functions. Organizations should ensure that systems running PVI clients with logging enabled are properly segmented on the network to limit lateral movement if a client system is compromised.
### Long-Term Recommendations
7. Monitor for Configuration Drift
Implement configuration management and monitoring to detect when client-side logging is enabled on PVI systems. Automated alerts should notify administrators of any activation of logging functions, ensuring that temporary debugging measures are not accidentally left in production.
8. Follow General Security Practices
ABB recommends that organizations follow general security hardening practices for systems running PVI, including principle of least privilege for user accounts, regular security patching across all components, and defense-in-depth strategies for critical infrastructure systems.
## References
---
Recommendation: Organizations operating ABB B&R PVI in production environments should prioritize upgrading to version 6.5.0 within their standard patch management timelines. Those unable to patch immediately should verify that client-side logging is disabled and implement strict access controls on any systems where logging is operationally necessary. Given the critical nature of many ABB deployments in energy and manufacturing sectors, this update should be treated as a priority security control.