CVE-2025-65117 Overview
CVE-2025-65117 affects AVEVA Process Optimization, an industrial control system (ICS) software platform used in process industries. The vulnerability allows an authenticated user with Process Optimization Designer privileges to embed Object Linking and Embedding (OLE) objects into graphical elements. When a victim user interacts with the affected graphics, the embedded OLE payload executes under the victim's identity, resulting in privilege escalation. The flaw is categorized under [CWE-676] (Use of Potentially Dangerous Function). CISA published the issue in advisory ICSA-26-015-01, highlighting impact to operational technology (OT) environments.
Critical Impact
An authenticated Designer user can escalate privileges by tricking higher-privileged users into interacting with malicious OLE objects embedded in process graphics.
Affected Products
- AVEVA Process Optimization (all versions referenced in vendor advisory)
- Deployments using the Process Optimization Designer role
- ICS/OT environments integrating AVEVA Process Optimization graphical workflows
Discovery Timeline
- 2026-01-16 - CVE-2025-65117 published to the National Vulnerability Database (NVD)
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-65117
Vulnerability Analysis
The vulnerability resides in how AVEVA Process Optimization handles OLE objects embedded into graphical elements created by Designer users. The application permits an authenticated Designer to attach OLE objects to graphics without sufficient validation of the embedded content or restriction on execution context. When another user opens or interacts with the modified graphic, the OLE object executes within that user's session.
This design pattern violates safe-handling expectations for compound documents in trusted engineering workflows. Because process graphics are routinely shared across operator and engineering roles in ICS environments, the attack reliably reaches users with elevated rights. The result is a horizontal-to-vertical privilege escalation contained within the same host, consistent with a local attack vector.
Root Cause
The root cause is the use of a potentially dangerous function for handling OLE content [CWE-676]. AVEVA Process Optimization treats OLE objects embedded by Designer users as trusted, executing them with the privileges of whichever user subsequently opens the graphic. The software lacks adequate boundaries between the content author and the consuming user, and does not restrict OLE actions to a sandboxed or non-executable preview.
Attack Vector
Exploitation requires local access and authenticated Designer-level privileges. The attacker embeds a malicious OLE object into a process graphic, saves the modified asset to a shared project or library, and waits for a victim user with higher privileges to open it. User interaction is required, which aligns with the social-engineering component of the attack chain. No public proof-of-concept or in-the-wild exploitation has been reported, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploitation code is available. See the CISA ICS Advisory and the GitHub CSAF File for technical details.
Detection Methods for CVE-2025-65117
Indicators of Compromise
- Process Optimization graphic files modified by Designer users outside expected change-control windows.
- Unexpected child processes spawned by AVEVA Process Optimization client executables following graphic interaction.
- OLE object handlers (for example, packager.exe, mshta.exe, wscript.exe, cscript.exe) launched from the Process Optimization process tree.
Detection Strategies
- Hunt for anomalous process lineage where AVEVA Process Optimization processes spawn scripting or LOLBin binaries.
- Correlate Designer-role file modifications with subsequent execution events on engineering or operator workstations.
- Apply behavioral analytics on engineering workstations to flag execution chains originating from graphic-rendering components.
Monitoring Recommendations
- Enable detailed audit logging within AVEVA Process Optimization for Designer actions, especially OLE embedding operations.
- Forward endpoint and OT host telemetry to a centralized SIEM or data lake for cross-correlation with project file changes.
- Monitor file integrity on shared project repositories where process graphics are stored.
How to Mitigate CVE-2025-65117
Immediate Actions Required
- Restrict Process Optimization Designer privileges to a minimal, vetted set of engineering users.
- Review recent modifications to process graphics and validate them against authorized change records.
- Apply network and host segmentation so engineering workstations are isolated from general-purpose IT systems.
- Apply the AVEVA security update referenced in the vendor advisory as soon as feasible.
Patch Information
AVEVA has published guidance and a software update for this issue. Refer to the AVEVA Cyber Security Updates portal and download the fixed version from the AVEVA Software Download page. CISA also tracks remediation status in the CISA ICS Advisory.
Workarounds
- Disable or restrict OLE object embedding within process graphics where supported by configuration.
- Enforce role separation so users who design graphics cannot share artifacts directly with operators without review.
- Require approval workflows for any graphic file imported into production engineering libraries.
- Train Designer and operator users on the risks of opening graphics from untrusted internal sources.
# Configuration example
# Restrict execution of common OLE handlers from AVEVA process tree (Windows AppLocker example)
# Create a deny rule for scripting hosts when parent is AVEVA Process Optimization
New-AppLockerPolicy -RuleType Deny `
-User "Domain\ProcessOptimizationUsers" `
-Path "%SystemRoot%\System32\wscript.exe" `
-Description "Block wscript from AVEVA Process Optimization context"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

