Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64691

CVE-2025-64691: Aveva Process Optimization Escalation Flaw

CVE-2025-64691 is a privilege escalation vulnerability in Aveva Process Optimization allowing authenticated users to tamper with TCL scripts and gain system privileges. This article covers technical details, risks, and mitigation.

Updated:

CVE-2025-64691 Overview

CVE-2025-64691 is a code injection vulnerability [CWE-94] affecting AVEVA Process Optimization. An authenticated local user with standard operating system privileges can tamper with Tool Command Language (TCL) Macro scripts to escalate privileges to the OS system context. Successful exploitation could lead to complete compromise of the model application server. The vulnerability is tracked under CISA ICS Advisory ICSA-26-015-01 and impacts industrial control system (ICS) environments where AVEVA Process Optimization is deployed.

Critical Impact

A standard OS user can manipulate TCL Macro scripts to gain SYSTEM-level execution, resulting in full compromise of the model application server hosting AVEVA Process Optimization.

Affected Products

  • AVEVA Process Optimization (all supported versions prior to vendor patch)
  • Deployments hosting TCL Macro scripting functionality
  • Model application servers running AVEVA Process Optimization in ICS/OT environments

Discovery Timeline

  • 2026-01-16 - CVE-2025-64691 published to NVD
  • 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2025-64691

Vulnerability Analysis

The vulnerability resides in how AVEVA Process Optimization handles TCL Macro scripts. TCL Macros execute under elevated privileges on the model application server. The product does not adequately restrict modification of these macro scripts by lower-privileged OS users. An authenticated local attacker with standard OS user rights can inject or modify TCL code within macros that subsequently run under the SYSTEM account.

This is a classic code injection issue [CWE-94] combined with insufficient access controls on script storage. Because TCL Macros are interpreted at runtime by a privileged process, any tampering directly translates into arbitrary code execution at the privilege level of the executing service.

Root Cause

The root cause is improper control of generation of code within TCL Macro scripts. File system or application-level permissions on macro script resources allow non-privileged OS users to write or modify content that is later loaded and executed by a higher-privileged process. The trust boundary between standard users and the macro execution engine is not enforced.

Attack Vector

Exploitation requires local access and valid OS standard user credentials on the host running AVEVA Process Optimization. The attacker modifies an existing TCL Macro script or introduces malicious TCL code into a location processed by the macro engine. When the macro executes, the injected payload runs with SYSTEM privileges, bypassing user-level restrictions and granting full control of the model application server.

No verified public proof-of-concept code is available. See the CISA ICS Advisory #ICSA-26-015-01 and the GitHub CSAF Document for technical details.

Detection Methods for CVE-2025-64691

Indicators of Compromise

  • Unexpected modifications to TCL Macro script files (.tcl) on AVEVA Process Optimization servers
  • New or modified macro scripts authored by non-administrative OS accounts
  • Child processes spawned by AVEVA Process Optimization services running as SYSTEM that execute unusual commands (cmd.exe, powershell.exe, script interpreters)
  • New service accounts, scheduled tasks, or persistence artifacts created on the model application server

Detection Strategies

  • Monitor file integrity on directories containing TCL Macro scripts and flag write operations performed by standard user accounts
  • Audit process creation events where AVEVA Process Optimization service processes spawn shell, scripting, or LOLBin binaries
  • Correlate authenticated local logon events with subsequent modifications to macro script resources
  • Track privilege escalation patterns where standard user activity precedes SYSTEM-context process execution

Monitoring Recommendations

  • Enable Windows Security event logging for object access on macro script directories and forward to a centralized SIEM
  • Baseline legitimate macro authoring activity and alert on deviations from approved engineering workstations
  • Restrict and monitor interactive logons to AVEVA Process Optimization servers; treat each session as a potential exploitation vector

How to Mitigate CVE-2025-64691

Immediate Actions Required

  • Apply the AVEVA security patch for Process Optimization referenced in the vendor advisory as soon as operationally feasible
  • Restrict local logon to AVEVA Process Optimization servers to vetted engineering and administrative accounts only
  • Audit file system permissions on TCL Macro script directories and remove write access for non-privileged OS users
  • Review existing macro scripts for unauthorized modifications and restore from known-good backups where tampering is suspected

Patch Information

AVEVA has released a security update addressing CVE-2025-64691. Patches and version details are available from AVEVA Cyber Security Updates and the AVEVA Product Download portal. CISA mitigation guidance is provided in ICS Advisory ICSA-26-015-01.

Workarounds

  • Enforce least-privilege OS access policies and remove standard user accounts that do not require interactive access to the model application server
  • Place AVEVA Process Optimization servers behind ICS/OT network segmentation to limit local logon paths
  • Use application allowlisting to prevent unauthorized interpreters or binaries from executing under the AVEVA service context
  • Implement file integrity monitoring on TCL Macro script directories until the patch is deployed
bash
# Example: tighten ACLs on TCL Macro script directory (Windows)
# Remove write access from authenticated users; restrict to administrators and AVEVA service account
icacls "C:\Path\To\AVEVA\Macros" /inheritance:r
icacls "C:\Path\To\AVEVA\Macros" /grant:r "Administrators:(OI)(CI)F"
icacls "C:\Path\To\AVEVA\Macros" /grant:r "AVEVA_ServiceAccount:(OI)(CI)RX"
icacls "C:\Path\To\AVEVA\Macros" /remove "Users"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.