CVE-2026-1495 is a vulnerability classified under CWE-532 (Insertion of Sensitive Information into Log File) affecting the AVEVA PI to CONNECT Agent. The flaw arises because the software logs sensitive proxy configuration details, including URLs and proxy credentials, into event log files without adequate protection. An attacker who has been granted membership in the Event Log Reader group (S-1-5-32-573) can access these logs and extract the sensitive information. This group typically has read access to event logs but is considered a limited privilege group, meaning the vulnerability can be exploited without administrative rights. The exposure of proxy credentials can lead to unauthorized access to proxy servers, which may serve as gateways to internal networks or critical systems. The vulnerability does not require user interaction and does not affect the integrity or availability of the system, but it compromises confidentiality. The CVSS v3.1 base score is 6.5, reflecting a medium severity level due to the combination of local access requirements and high confidentiality impact. No public exploits have been reported yet, and no patches are currently linked, indicating that mitigation relies on access control and monitoring until a vendor fix is released. This vulnerability is particularly relevant in industrial control system environments where AVEVA PI to CONNECT Agent is deployed for data integration and connectivity.

For European organizations, especially those in industrial automation, manufacturing, energy, and critical infrastructure sectors, this vulnerability poses a significant risk to confidentiality. Unauthorized access to proxy credentials could allow attackers to pivot through proxy servers, potentially bypassing network segmentation and gaining access to sensitive internal systems. This could lead to further reconnaissance or lateral movement within networks, increasing the risk of data breaches or disruption of operational technology environments. Since the vulnerability requires only Event Log Reader privileges, which may be granted to various service accounts or users for legitimate monitoring purposes, the attack surface is broader than vulnerabilities requiring administrative access. The compromise of proxy credentials could also undermine network security controls, impacting compliance with European data protection regulations such as GDPR if sensitive data is exposed or intercepted. The lack of known exploits currently limits immediate risk, but the potential for escalation and lateral movement makes this a concern for European entities relying on AVEVA PI to CONNECT Agent.

European organizations should immediately review and restrict membership of the Event Log Reader group to only trusted and necessary accounts, minimizing the number of users who can access event logs. Implement strict access controls and auditing on event log files to detect unauthorized access attempts. Employ network segmentation and proxy server hardening to limit the impact if credentials are compromised. Monitor logs for unusual access patterns to proxy servers and consider implementing multi-factor authentication on proxy access where possible. Coordinate with AVEVA to obtain and apply patches or updates as soon as they become available. Additionally, consider encrypting sensitive log data or redirecting logs to secure, access-controlled storage to reduce exposure. Conduct regular security awareness training for administrators and operators about the risks of privilege misuse and the importance of protecting event log access. Finally, integrate this vulnerability into vulnerability management and incident response plans to ensure timely detection and remediation.