CVE-2025-64691 Overview
CVE-2025-64691 is a code injection vulnerability [CWE-94] affecting AVEVA Process Optimization. An authenticated local user with standard operating system privileges can tamper with Tool Command Language (TCL) Macro scripts to escalate privileges to the OS system context. Successful exploitation could lead to complete compromise of the model application server. The vulnerability is tracked under CISA ICS Advisory ICSA-26-015-01 and impacts industrial control system (ICS) environments where AVEVA Process Optimization is deployed.
Critical Impact
A standard OS user can manipulate TCL Macro scripts to gain SYSTEM-level execution, resulting in full compromise of the model application server hosting AVEVA Process Optimization.
Affected Products
- AVEVA Process Optimization (all supported versions prior to vendor patch)
- Deployments hosting TCL Macro scripting functionality
- Model application servers running AVEVA Process Optimization in ICS/OT environments
Discovery Timeline
- 2026-01-16 - CVE-2025-64691 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-64691
Vulnerability Analysis
The vulnerability resides in how AVEVA Process Optimization handles TCL Macro scripts. TCL Macros execute under elevated privileges on the model application server. The product does not adequately restrict modification of these macro scripts by lower-privileged OS users. An authenticated local attacker with standard OS user rights can inject or modify TCL code within macros that subsequently run under the SYSTEM account.
This is a classic code injection issue [CWE-94] combined with insufficient access controls on script storage. Because TCL Macros are interpreted at runtime by a privileged process, any tampering directly translates into arbitrary code execution at the privilege level of the executing service.
Root Cause
The root cause is improper control of generation of code within TCL Macro scripts. File system or application-level permissions on macro script resources allow non-privileged OS users to write or modify content that is later loaded and executed by a higher-privileged process. The trust boundary between standard users and the macro execution engine is not enforced.
Attack Vector
Exploitation requires local access and valid OS standard user credentials on the host running AVEVA Process Optimization. The attacker modifies an existing TCL Macro script or introduces malicious TCL code into a location processed by the macro engine. When the macro executes, the injected payload runs with SYSTEM privileges, bypassing user-level restrictions and granting full control of the model application server.
No verified public proof-of-concept code is available. See the CISA ICS Advisory #ICSA-26-015-01 and the GitHub CSAF Document for technical details.
Detection Methods for CVE-2025-64691
Indicators of Compromise
- Unexpected modifications to TCL Macro script files (.tcl) on AVEVA Process Optimization servers
- New or modified macro scripts authored by non-administrative OS accounts
- Child processes spawned by AVEVA Process Optimization services running as SYSTEM that execute unusual commands (cmd.exe, powershell.exe, script interpreters)
- New service accounts, scheduled tasks, or persistence artifacts created on the model application server
Detection Strategies
- Monitor file integrity on directories containing TCL Macro scripts and flag write operations performed by standard user accounts
- Audit process creation events where AVEVA Process Optimization service processes spawn shell, scripting, or LOLBin binaries
- Correlate authenticated local logon events with subsequent modifications to macro script resources
- Track privilege escalation patterns where standard user activity precedes SYSTEM-context process execution
Monitoring Recommendations
- Enable Windows Security event logging for object access on macro script directories and forward to a centralized SIEM
- Baseline legitimate macro authoring activity and alert on deviations from approved engineering workstations
- Restrict and monitor interactive logons to AVEVA Process Optimization servers; treat each session as a potential exploitation vector
How to Mitigate CVE-2025-64691
Immediate Actions Required
- Apply the AVEVA security patch for Process Optimization referenced in the vendor advisory as soon as operationally feasible
- Restrict local logon to AVEVA Process Optimization servers to vetted engineering and administrative accounts only
- Audit file system permissions on TCL Macro script directories and remove write access for non-privileged OS users
- Review existing macro scripts for unauthorized modifications and restore from known-good backups where tampering is suspected
Patch Information
AVEVA has released a security update addressing CVE-2025-64691. Patches and version details are available from AVEVA Cyber Security Updates and the AVEVA Product Download portal. CISA mitigation guidance is provided in ICS Advisory ICSA-26-015-01.
Workarounds
- Enforce least-privilege OS access policies and remove standard user accounts that do not require interactive access to the model application server
- Place AVEVA Process Optimization servers behind ICS/OT network segmentation to limit local logon paths
- Use application allowlisting to prevent unauthorized interpreters or binaries from executing under the AVEVA service context
- Implement file integrity monitoring on TCL Macro script directories until the patch is deployed
# Example: tighten ACLs on TCL Macro script directory (Windows)
# Remove write access from authenticated users; restrict to administrators and AVEVA service account
icacls "C:\Path\To\AVEVA\Macros" /inheritance:r
icacls "C:\Path\To\AVEVA\Macros" /grant:r "Administrators:(OI)(CI)F"
icacls "C:\Path\To\AVEVA\Macros" /grant:r "AVEVA_ServiceAccount:(OI)(CI)RX"
icacls "C:\Path\To\AVEVA\Macros" /remove "Users"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

