ABB Patches Information Disclosure Flaw in B&R PVI Software
ABB has patched a medium-severity vulnerability in its B&R PVI software that could allow local attackers to harvest sensitive credentials from application log files.

ABB has released a security update to address a vulnerability in its B&R PVI (Process Visualization Interface) software that could allow an attacker to access sensitive information stored in application logs. The flaw, tracked as CVE-2026-0936, affects all PVI client versions prior to 6.5.0 CISA.
The vulnerability is classified as an "Insertion of Sensitive Information into Log File" (CWE-532), carrying a CVSS v3.1 base score of 5.0, which is considered medium severity CISA. According to the advisory, the issue can be exploited by an authenticated local attacker who could leverage the flaw to gather credential information processed by the PVI client application CISA.
A critical detail regarding the exploitability of this vulnerability is that the logging function in PVI client versions is deactivated by default CISA. For the vulnerability to be triggered, a user must explicitly enable the logging feature. ABB notes that the vulnerability is strictly limited to the client-side application logging and does not impact the security-related logging of the PVI server component CISA.
ABB has provided a fix for this issue in PVI version 6.5.0 CISA. Because PVI is integrated into the Automation Studio installation package, the software shares the same version numbering as the corresponding Automation Studio release. The vendor strongly recommends that customers update their systems to version 6.5.0 at their earliest convenience to remediate the risk CISA.
For users unable to update immediately, ABB offers specific mitigation guidance. The company advises that logging should only be activated on client systems when necessary for troubleshooting or debugging, and that all log files should be securely deleted once they are no longer required CISA. Furthermore, if logging is enabled, administrators must ensure that the storage path for these files is restricted so that only the authorized user has access to the directories where the data is stored CISA.
This vulnerability highlights the ongoing risks associated with debug and diagnostic features in industrial control system (ICS) software. While such features are essential for maintenance, they often inadvertently expose sensitive data if not properly secured. Organizations operating in critical infrastructure sectors, such as energy, are encouraged to review their logging configurations and ensure that security best practices are applied to all diagnostic outputs to prevent unauthorized access to credentials or other sensitive system information CISA.