Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61943

CVE-2025-61943: Aveva Process Optimization SQLi Vulnerability

CVE-2025-61943 is a SQL injection flaw in Aveva Process Optimization that allows authenticated users to execute code with SQL Server admin privileges. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-61943 Overview

CVE-2025-61943 is a SQL injection vulnerability [CWE-89] in AVEVA Process Optimization affecting the Captive Historian component. An authenticated user holding the Process Optimization Standard User role can tamper with database queries and execute arbitrary code under SQL Server administrative privileges. Successful exploitation can result in complete compromise of the underlying SQL Server instance, including the confidentiality and integrity of all hosted data. The flaw was published in the CISA ICS Advisory ICSA-26-015-01 and carries a CVSS v4.0 base score of 9.3. Because Process Optimization is deployed in operational technology (OT) environments, exploitation can pivot from IT-adjacent SQL workloads into industrial process data.

Critical Impact

An authenticated low-privilege user can achieve SQL Server administrator-level code execution through query tampering in Captive Historian, resulting in full database compromise.

Affected Products

  • AVEVA Process Optimization (Captive Historian component)
  • Deployments using the Process Optimization Standard User role
  • SQL Server instances backing the Captive Historian

Discovery Timeline

  • 2026-01-16 - CVE-2025-61943 published to NVD
  • 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2025-61943

Vulnerability Analysis

The vulnerability resides in the Captive Historian module of AVEVA Process Optimization. The application accepts user-influenced input and concatenates it into SQL statements executed against the backing SQL Server. Because Captive Historian connects to SQL Server with administrative privileges, injected statements run with elevated database authority. An attacker authenticated as a Process Optimization Standard User can therefore escalate from application-level access to SQL Server administrative code execution. The CWE-89 classification confirms improper neutralization of special elements used in an SQL command. Exploitation is local to the application context but does not require user interaction beyond the attacker's own authenticated session.

Root Cause

The root cause is improper input sanitization in queries constructed by Captive Historian. User-controllable parameters reach the SQL statement builder without parameterization or strict validation, allowing attacker-supplied SQL fragments to alter query semantics.

Attack Vector

The attack vector is local and requires valid Process Optimization Standard User credentials. An attacker submits crafted input to a Captive Historian interface that constructs SQL queries. The injected payload executes under the database connection's administrative context, enabling commands such as xp_cmdshell invocation, schema modification, or extraction of sensitive process data. No additional privileges or user interaction are required to weaponize the issue once authenticated access is obtained.

No public proof-of-concept exploit code has been verified for this CVE. Refer to the CISA ICS Advisory ICSA-26-015-01 for technical details.

Detection Methods for CVE-2025-61943

Indicators of Compromise

  • Unexpected SQL Server logins or sessions originating from the Captive Historian service account with administrative role usage.
  • SQL Server audit entries showing xp_cmdshell, sp_configure, or OPENROWSET activity tied to Process Optimization queries.
  • Anomalous query patterns containing stacked statements, comment terminators (--, /* */), or UNION SELECT clauses in Captive Historian logs.
  • Creation of new SQL Server logins, linked servers, or scheduled SQL Agent jobs not aligned with change management records.

Detection Strategies

  • Enable SQL Server auditing on the Captive Historian database and alert on administrative DDL or extended stored procedure execution.
  • Inspect Process Optimization application logs for input fields that reach Captive Historian query paths and flag inputs containing SQL metacharacters.
  • Correlate authentication events for Process Optimization Standard Users with database-level privileged operations occurring on the same host.

Monitoring Recommendations

  • Forward SQL Server, Windows, and Process Optimization application logs to a centralized analytics platform for correlation.
  • Baseline normal Captive Historian query shapes and alert on deviations such as multi-statement batches or system catalog access.
  • Monitor outbound network connections from the SQL Server host to detect post-exploitation command-and-control or data exfiltration.

How to Mitigate CVE-2025-61943

Immediate Actions Required

  • Apply the AVEVA-supplied update for Process Optimization Captive Historian as documented in ICSA-26-015-01.
  • Restrict assignment of the Process Optimization Standard User role to vetted operators and revoke unused accounts.
  • Reduce the SQL Server account used by Captive Historian to the least privilege required and disable xp_cmdshell if not needed.
  • Segment the Process Optimization server within the OT network and block direct internet exposure.

Patch Information

AVEVA has issued guidance through the AVEVA Cyber Security Updates portal and the AVEVA Product Download site. Coordinated disclosure details are published in CISA ICS Advisory ICSA-26-015-01 and the CSAF document. Administrators should validate patch deployment on every Captive Historian instance.

Workarounds

  • Limit network access to the Captive Historian service to trusted operator workstations using host firewalls or ACLs.
  • Run the SQL Server backing Captive Historian under a dedicated non-sysadmin account where supported by AVEVA.
  • Enable enhanced SQL Server auditing and alert on use of extended stored procedures from the Captive Historian session.
  • Require multi-factor authentication and strong credential hygiene for all Process Optimization users.
bash
# Configuration example: disable xp_cmdshell on the Captive Historian SQL Server
sqlcmd -S <server> -E -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 0; RECONFIGURE;"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.