CVE-2025-2745 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting AVEVA PI Web API versions 2023 SP1 and earlier. This vulnerability allows an authenticated attacker with limited privileges—specifically those who can create or update annotations or upload media files—to inject and persist arbitrary JavaScript code within the application. The injected script executes in the context of users who view the affected annotation attachments through a web browser. However, exploitation requires that the victim user be socially engineered to disable Content Security Policy (CSP) protections, which normally help prevent such script execution. The vulnerability impacts confidentiality significantly, as the attacker can potentially steal sensitive session tokens or perform actions on behalf of the victim user. Integrity impact is low since the attacker’s ability to modify data is limited to the annotations/media they can upload, and availability is not affected. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the need for authentication, high attack complexity due to CSP bypass requirement, and user interaction. The vulnerability’s scope is changed (S:C), meaning the attack can affect components beyond the initially vulnerable component, such as other users’ browsers rendering the malicious content. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability is particularly relevant for organizations using AVEVA PI Web API for industrial data visualization and management, where annotations and media uploads are common features. Attackers exploiting this flaw could leverage social engineering to bypass CSP and execute malicious scripts, potentially leading to session hijacking or unauthorized actions within the web application context.

For European organizations, the impact of CVE-2025-2745 can be significant in sectors relying on AVEVA PI Web API, such as manufacturing, energy, utilities, and critical infrastructure. The ability to inject persistent XSS payloads can lead to theft of sensitive operational data, unauthorized access to industrial control systems, or manipulation of displayed information, undermining trust in operational dashboards. Since exploitation requires authenticated access with annotation or media upload privileges, insider threats or compromised user accounts pose a higher risk. The social engineering component to disable CSP adds complexity but does not eliminate risk, especially in environments with less security awareness. Confidentiality breaches could expose proprietary process data or personally identifiable information (PII) of employees. Integrity impacts are limited but could affect annotation accuracy, leading to operational misunderstandings. Availability is not directly impacted, but indirect effects such as loss of trust or forced downtime for remediation could occur. European organizations subject to strict data protection regulations (e.g., GDPR) may face compliance risks if sensitive data is exposed. The medium severity rating suggests prioritizing mitigation but indicates that immediate widespread exploitation is less likely without targeted social engineering.

To mitigate CVE-2025-2745 effectively, European organizations should: 1) Restrict annotation and media upload privileges strictly to trusted and trained personnel to reduce the attack surface. 2) Implement strong authentication and session management controls to prevent account compromise. 3) Educate users about the risks of disabling browser security features such as CSP and train them to recognize social engineering attempts. 4) Monitor and audit annotation and media upload activities for suspicious behavior or anomalous content. 5) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious script injections in annotation content. 6) Use Content Security Policy headers configured to minimize the risk of script execution, including nonce or hash-based CSP directives where possible. 7) Engage with AVEVA for timely patching once updates become available and test patches in controlled environments before deployment. 8) Consider isolating the PI Web API interface behind additional security layers or network segmentation to limit exposure. 9) Regularly review and update incident response plans to include scenarios involving XSS in industrial web applications. These steps go beyond generic advice by focusing on privilege management, user training specific to CSP bypass risks, and proactive monitoring tailored to the AVEVA PI Web API environment.