Full Report
[Control systems] B&R security advisory (AV26-066)
Analysis Summary
The provided text references a B&R advisory (AV26-066) that details multiple security issues (SA24P003 and SA26P001) affecting B&R PCs and PVI products. However, the summary text *does not explicitly provide* the CVE IDs, CVSS scores, detailed technical descriptions, impact levels, exploitation status, or specific patch versions for these vulnerabilities; it only points to the external PDF advisories.
Therefore, the summary below is constructed based on the limited information available in the provided context, with placeholders for specific details only found in the referenced external documents.
***
# Vulnerability: B&R Control Systems Vulnerabilities (AV26-066)
## CVE Details
* **CVE ID:** Unknown (Details contained within linked advisories SA24P003 and SA26P001)
* **CVSS Score:** Unknown
* **CWE:** Unknown
## Affected Systems
* **Products:**
* B&R PVI (Process Visualization Interface)
* B&R PCs (multiple models)
* **Versions:**
* PVI: Versions prior to 6.5.0
* B&R PCs: Multiple models and versions (specific lists in linked advisories)
* **Configurations:** Not specified in the summary context.
## Vulnerability Description
The advisory covers multiple vulnerabilities:
1. **SA24P003:** B&R PCs vulnerable to the "PixieFail attack."
2. **SA26P001:** Insertion of sensitive information into the PVI Logfile ("Information Disclosure" type vulnerability).
*Note: Detailed technical specifics require consulting the linked B&R PDF advisories.*
## Exploitation
* **Status:** Unknown (Exploitation status is not documented in this summary context)
* **Complexity:** Unknown
* **Attack Vector:** Unknown
## Impact
* **Confidentiality:** Unknown
* **Integrity:** Unknown
* **Availability:** Unknown
## Remediation
### Patches
* Available patches are implied but specific version numbers are not listed in this context. Users must consult **SA24P003** and **SA26P001** linked advisories for necessary updates.
### Workarounds
* The Cyber Centre encourages users to review the provided web links and perform **suggested mitigations**. Specific workarounds are not detailed here.
## Detection
* No specific IOCs or detection methods are provided in this summary context. Users should refer to the vendor advisories for indicators related to the PixieFail attack (SA24P003) and log file anomalies (SA26P001).
## References
* B&R Advisory Serial: AV26-066 (Published: 2026-01-29)
* SA24P003: B&R PCs vulnerable to PixieFail attack: hxxps://www.br-automation.com/fileadmin/SA24P003-bb9ea116.pdf
* SA26P001: Insertion of sensitive Information into PVI Logfile: hxxps://www.br-automation.com/fileadmin/SA26P001-2862434c.pdf
* B&R Cyber Security Advisories and Notices: hxxps://www.br-automation.com/en/service/cyber-security/cyber-security-advisories-and-notices/