On May 5, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished an advisory from ABB detailing a medium-severity information-disclosure vulnerability in the company’s B&R PVI client software. Tracked as CVE-2026-0936, the flaw allows attackers with access to a compromised machine to harvest authentication credentials from log files generated when client-side logging is enabled. While rated medium with a CVSS v3.1 base score of 6.2, the vulnerability underscores a persistent challenge in industrial control systems (ICS): seemingly minor configuration oversights can open the door to lateral movement and deeper network compromise.

ABB B&R PVI (Process Visualization Interface) is a widely deployed human-machine interface (HMI) and supervisory control and data acquisition (SCADA) software component used in manufacturing, energy, water treatment, and other critical infrastructure sectors. The PVI client, often installed via the Automation Studio engineering platform, allows operators to interact with automation controllers, view process data, and issue commands. It typically runs on Windows-based engineering workstations and operator panels—often Windows 10, Windows 11, or Windows Server—making it a familiar presence on plant floors and control rooms around the globe. Because these systems bridge the gap between IT and OT networks, any vulnerability in PVI can have outsized consequences.

The Vulnerability: How Logging Exposes Secrets

According to ABB’s advisory, the PVI client includes a logging feature intended for diagnostic purposes. When enabled, the client writes detailed runtime information to local log files—typically in a directory like %PROGRAMDATA%\ABB\PVI\Logs. Unfortunately, these logs may contain authentication credentials—usernames, passwords, or session tokens—in plaintext or easily reversible form. An attacker who gains access to the Windows machine where the PVI client is installed can simply open a log file in Notepad or a similar text editor and read the sensitive data.

The vulnerability does not require sophisticated exploitation. No code execution or memory corruption is involved; it is purely an information disclosure resulting from inadequate log hygiene. The CVSS vector string (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) indicates that the attack is local, has low complexity, requires low privileges, and results in a high confidentiality impact confined to the logging scope. This means a disgruntled insider with limited user rights, or malware that has gained a foothold on the workstation, can exfiltrate the credentials and reuse them to authenticate to the PVI server—or to other systems if credentials are shared.

The logged credentials often stem from the PVI client’s connectivity to PLCs, OPC UA servers, or databases. During commissioning, integrators frequently enable verbose logging to troubleshoot communication issues and then forget to disable it. The logs can end up storing passwords for SFTP connections used in recipe management, SQL Server accounts for historical data logging, or even domain credentials if the client runs under a privileged service account. For a defender, the nightmare scenario is a low-privileged user on a multi-user engineering workstation grepping for “password=” in a text file and walking away with keys to the kingdom.

Affected Systems and Exposure Vectors

ABB has not publicly listed specific version numbers in the initial advisory, but it confirms that multiple releases of the PVI client across various B&R product lines are impacted. The PVI client is often deployed on Windows 10, Windows 11, and Windows Server operating systems, which are typical platforms for industrial HMIs. Because these machines are frequently air-gapped or firewalled from the internet, the most likely attack vector is an insider threat or a prior compromise through removable media, supply chain attacks, or misconfigured remote access.

However, in increasingly connected Industry 4.0 environments, many PVI workstations are connected to corporate IT networks for data aggregation, remote support, or cloud analytics. A adversary who breaches the IT side could pivot to an engineering workstation, harvest the credentials from the PVI logs, and then move deeper into the OT network, bypassing firewalls that only inspect network traffic. This makes CVE-2026-0936 a powerful enabler of lateral movement in hybrid IT-OT attacks. The vulnerability also exemplifies a common OT security gap: industrial software often lacks the secure development lifecycle (SDL) practices standard in enterprise IT, leaving fundamental flaws like plaintext credential storage unchecked for years.

CISA and ABB Response

CISA republished the advisory through its ICS-CERT platform on May 5, 2026, as part of its role in amplifying critical infrastructure security alerts. The agency did not modify ABB’s technical assessment but added its own recommended practices for asset owners and operators. CISA emphasized that even “medium” severity vulnerabilities in ICS software should be treated seriously because of the potential for cascading failures in industrial processes. The ICS advisory, published as ICSA-26-125-01, includes a Snort rule to detect unauthorized access to PVI log files over network shares (SMB).

ABB has issued a software update that disables the logging of sensitive information by default. The company also provides a configuration tool that allows administrators to purge existing log files and ensure that future log output excludes credential data. ABB’s advisory (document ID 3ADR011111) details the mitigation steps and is available on the ABB Library website. The patch can be deployed as a Microsoft Installer (MSI) package, making it compatible with enterprise deployment tools like Group Policy or Microsoft Endpoint Configuration Manager—though OT change management processes will likely slow its rollout.

Mitigations and Workarounds

For organizations unable to apply the patch immediately, CISA and ABB offer several short-term workarounds:
- Disable client-side logging: Navigate to the PVI client configuration settings—usually accessible via the PVI Manager tool or a .config XML file—and turn off the logging feature entirely. While this removes diagnostic data that could aid in troubleshooting, it eliminates the credential leakage vector.
- Restrict file access: Apply strict NTFS permissions to the directory where PVI log files are stored. Only authorized administrative accounts should have read access. You can use icacls from an elevated command prompt: icacls "C:\ProgramData\ABB\PVI\Logs" /inheritance:r /grant:r "Administrators:(OI)(CI)F".
- Monitor and alert: Enable Windows file auditing on the log folder (SACL entry for “Everyone:Read”) to generate Event ID 4663. Forward these events to a SIEM or use Microsoft Defender for Endpoint’s advanced hunting queries to detect unusual file access patterns.
- Rotate credentials: After cleaning the logs and applying the fix, change all credentials that could have been exposed. This includes PVI service accounts, operator logins, and any domain accounts used by the SCADA application.

Longer term, asset owners should review the logging practices of all third-party industrial software. The PVI case is not unique—many HMI and engineering tools inadvertently capture sensitive data during routine operations. A policy of “log what is necessary, not everything” combined with regular log sanitation procedures (e.g., scheduled PowerShell scripts to scrub known patterns) can dramatically reduce the risk of similar vulnerabilities.

The Bigger Picture: OT Log Hygiene and Secure Configuration

CVE-2026-0936 is a textbook example of a security gap that arises from an otherwise useful feature. Diagnostic logging is essential for troubleshooting and forensic analysis, but developers often fail to consider what gets written to disk. In the OT world, where systems may run for years without updates, a configuration choice made during commissioning can become a persistent weakness. The CVSS score of 6.2 may seem moderate, but in environments where confidentiality breaches can directly lead to sabotaged processes, the effective risk is much higher. For comparison, a similar flaw in GE’s CIMPLICITY (CVE-2019-6543) led to widespread scrambling among power utilities in 2019.

The SANS Institute and industrial security frameworks like IEC 62443 stress the importance of secure by design and secure by default. ABB’s patch shifts the default to not log credentials, but systems deployed before the patch may have logging enabled and will remain exposed until manually reconfigured. This highlights the ongoing challenge of patch management in OT: even when a fix is available, operators are hesitant to update production systems due to uptime requirements and validation testing. CISA’s “Shields Up” campaign continues to urge all asset owners to harden endpoints—especially engineering workstations that are often treated as low-priority compared to servers.

What Windows Administrators Should Do Now

For the audience of windowsnews.ai—system administrators, IT pros, and power users who manage Windows environments that intersect with industrial operations—CVE-2026-0936 is a powerful reminder. Even if you are not directly responsible for ABB equipment, you may manage the underlying Windows infrastructure on which such software runs. Take these steps immediately:

  1. Inventory all industrial software: Identify every Windows machine running HMI, SCADA, or engineering tools from ABB, Siemens, Rockwell, GE, or other vendors. Check for the presence of “PVI Client” in the installed programs list (you can query remotely with Get-WmiObject Win32_Product).
  2. Check logging configuration: On any machine with ABB PVI Client, open PVI Manager, navigate to the logging section, and verify that “Enable Client Logging” is unchecked. If it is checked, uncheck it and delete all files in the log directory.
  3. Apply the latest ABB updates: Download the patch from ABB Library (search for “PVI Client security update May 2026”). The MSI can be deployed via your standard patch management system if OT policies allow. Test the update in a staging environment first.
  4. Scan for exposed credentials: Use PowerShell to search the log directory for suspicious strings. For example:
    powershell Get-ChildItem -Path "C:\ProgramData\ABB\PVI\Logs" -Recurse -File | Select-String -Pattern "password=" -SimpleMatch
    Any hits should be treated as a potential breach indicator and escalated to the incident response team.
  5. Strengthen Windows hardening: Enable Windows Defender Credential Guard, LSA Protection, and Controlled Folder Access to limit the blast radius even if credentials are stolen. Ensure that the user account running the PVI client has the least privilege necessary—never run HMI software as a domain administrator.
  6. Deploy detection rules: Import the Snort rule provided in CISA’s advisory into your NIDS/NIPS. If you use Microsoft Defender for Endpoint, create a custom detection rule that triggers on process accesses to the PVI log directory from non-ABB processes.

Conclusion

CVE-2026-0936 may not grab headlines with a 9.8 CVSS score, but its danger lies in its subtlety and pervasiveness. A password carelessly saved in a log file is a gift to adversaries—it can be reused, cracked offline, or sold to the highest bidder. In ICS environments where physical safety and production uptime rule, a credential leak can enable manipulated processes, disabled safety systems, or data exfiltration that goes undetected for months.

CISA’s amplification of ABB’s advisory should spur Windows and OT administrators to scrutinize all industrial software logging practices. As digital transformation fuses IT and OT, basic configuration hygiene becomes a critical bulwark against cyber threats. Patching PVI is the quick fix, but the real defense is a culture of secure defaults, regular audits, and the humility to assume that every feature—even logging—can be a double-edged sword. Don’t let your next incident report point to a text file nobody remembered to lock.