CVE-2026-5387

The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modification of simulation parameters, training configuration, and training records.

CVSS

No CVSS.

References

Link	Resource
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-04.json
https://softwaresupportsp.aveva.com/en-US/downloads/products/details/57b79fdb-7b5f-4125-8a44-833b6b5c6d6f
https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2026-004.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-04

Configurations

No configuration.

History

15 Apr 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-15 16:16

Updated : 2026-06-17 10:58

NVD link : CVE-2026-5387

Mitre link : CVE-2026-5387

CVE.ORG link : CVE-2026-5387

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-5387", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-5387", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T17:38:40.210058Z"}}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "ics-cert@hq.dhs.gov", "affectedData": [{"vendor": "AVEVA", "product": "Pipeline Simulation 2025", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2025 SP1 (build 7.1.9497.6351)"}], "defaultStatus": "unaffected"}]}], "published": "2026-04-15T16:16:39.007", "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-04.json", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://softwaresupportsp.aveva.com/en-US/downloads/products/details/57b79fdb-7b5f-4125-8a44-833b6b5c6d6f", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2026-004.pdf", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-04", "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations\u00a0intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modification of simulation parameters, training configuration, and training records."}], "lastModified": "2026-06-17T10:58:56.900", "sourceIdentifier": "ics-cert@hq.dhs.gov"}