CVE-2025-64691 Overview
CVE-2025-64691 is a critical code injection vulnerability affecting Aveva Process Optimization software. The vulnerability allows an authenticated local user with standard OS privileges to tamper with TCL Macro scripts and escalate privileges to OS system level. Successful exploitation could result in complete compromise of the model application server, giving attackers full control over the affected system.
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code, also known as Code Injection), indicating that the application fails to properly validate or sanitize input that is subsequently used in code generation or execution contexts.
Critical Impact
An authenticated attacker with standard OS user access can escalate privileges to system level by tampering with TCL Macro scripts, potentially leading to complete compromise of the Aveva Process Optimization model application server.
Affected Products
- Aveva Process Optimization (all versions prior to patched release)
- Systems running Aveva Process Optimization with TCL Macro script functionality
- Model application servers utilizing Aveva Process Optimization
Discovery Timeline
- 2026-01-16 - CVE-2025-64691 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-64691
Vulnerability Analysis
This vulnerability exists within the TCL Macro script handling functionality of Aveva Process Optimization. TCL (Tool Command Language) scripts are commonly used for automation and customization tasks within industrial control software. The vulnerability stems from insufficient access controls and validation on TCL Macro script files, allowing authenticated users with standard OS privileges to modify these scripts.
When the modified scripts are executed by the application, they run with elevated system privileges, enabling the attacker to execute arbitrary commands at the OS system level. This type of code injection vulnerability is particularly dangerous in industrial control system (ICS) environments where Aveva Process Optimization is commonly deployed.
The local attack vector requires the attacker to have authenticated access to the target system. However, once this prerequisite is met, the attack complexity is low, requiring no user interaction to execute successfully. The impact extends beyond the vulnerable component itself, potentially affecting other systems connected to the compromised model application server.
Root Cause
The root cause of CVE-2025-64691 is improper access control and input validation on TCL Macro script files within Aveva Process Optimization. The application fails to adequately protect these script files from modification by standard OS users, and does not properly validate or sanitize script content before execution. This allows malicious code to be injected into scripts that are subsequently executed with elevated system privileges.
Attack Vector
The attack requires local access to the system running Aveva Process Optimization. An authenticated attacker with standard OS user privileges can:
- Identify TCL Macro script files used by the application
- Modify these script files to include malicious TCL commands
- Wait for or trigger the execution of the modified scripts
- Achieve privilege escalation to OS system level when the scripts execute
The vulnerability manifests in the way Aveva Process Optimization handles TCL Macro script execution. When scripts are modified with malicious content, the injected code executes with the privileges of the application service, which typically runs at an elevated level. For detailed technical information, refer to the CISA ICS Advisory.
Detection Methods for CVE-2025-64691
Indicators of Compromise
- Unexpected modifications to TCL Macro script files in Aveva Process Optimization installation directories
- New or modified TCL scripts with unusual commands such as exec, open, or system call invocations
- Unusual process spawning from the Aveva Process Optimization service process
- Evidence of privilege escalation attempts in Windows Security Event logs
Detection Strategies
- Monitor file integrity of TCL Macro script directories using SentinelOne's Real-Time File Integrity Monitoring
- Configure alerts for modifications to .tcl files within the Aveva Process Optimization installation path
- Implement behavioral detection rules to identify unusual child process creation from the application service
- Review authentication logs for suspicious local user activity preceding script modifications
Monitoring Recommendations
- Enable detailed audit logging for file access and modification on TCL script directories
- Deploy SentinelOne Singularity Platform with ICS/OT protection policies to monitor industrial control system assets
- Implement least-privilege access controls and monitor for privilege escalation attempts
- Correlate file modification events with subsequent process execution to identify attack chains
How to Mitigate CVE-2025-64691
Immediate Actions Required
- Restrict file system permissions on TCL Macro script directories to prevent modification by standard OS users
- Audit all TCL Macro scripts for unauthorized modifications and restore from known-good backups if tampering is detected
- Implement application whitelisting to prevent execution of unauthorized scripts
- Isolate affected systems from critical network segments until patches can be applied
Patch Information
Aveva has released security updates to address this vulnerability. Administrators should download and apply the latest security patches from the Aveva Product Download Portal. For additional guidance, refer to the Aveva Cyber Security Updates page.
CISA has also published an ICS advisory (ICSA-26-015-01) with additional mitigation recommendations for this vulnerability.
Workarounds
- Apply strict file system ACLs to remove write permissions for standard users on TCL script directories
- Implement code signing for TCL Macro scripts and configure the application to only execute signed scripts if supported
- Deploy file integrity monitoring solutions to detect and alert on unauthorized script modifications
- Consider running Aveva Process Optimization in a hardened environment with restricted user access until patches are applied
# Configuration example - Restrict TCL script directory permissions (Windows)
icacls "C:\Program Files\Aveva\ProcessOptimization\Scripts" /inheritance:r
icacls "C:\Program Files\Aveva\ProcessOptimization\Scripts" /grant:r "SYSTEM:(OI)(CI)F"
icacls "C:\Program Files\Aveva\ProcessOptimization\Scripts" /grant:r "Administrators:(OI)(CI)F"
icacls "C:\Program Files\Aveva\ProcessOptimization\Scripts" /grant:r "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
