CVE-2025-65118 Overview
CVE-2025-65118 is a critical privilege escalation vulnerability affecting AVEVA Process Optimization software. The vulnerability allows an authenticated user with standard OS privileges to exploit the Process Optimization services by tricking them into loading arbitrary code. Successful exploitation enables attackers to escalate privileges from OS Standard User to OS System level, potentially resulting in complete compromise of the Model Application Server.
This vulnerability is classified under CWE-427 (Uncontrolled Search Path Element), which occurs when an application searches for critical resources using an externally-supplied search path that can point to resources outside the intended control sphere. In industrial control system (ICS) environments where AVEVA Process Optimization is commonly deployed, this type of vulnerability poses significant operational and security risks.
Critical Impact
Authenticated users can escalate privileges to SYSTEM level, enabling complete compromise of the Model Application Server in industrial control environments.
Affected Products
- AVEVA Process Optimization (all versions prior to patched release)
- Model Application Server components utilizing Process Optimization services
- Industrial control systems running vulnerable AVEVA software
Discovery Timeline
- 2026-01-16 - CVE-2025-65118 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-65118
Vulnerability Analysis
This vulnerability stems from an uncontrolled search path element (CWE-427) in the AVEVA Process Optimization service architecture. The affected software fails to properly validate or restrict the search paths used when loading dynamic libraries or executable components, creating an opportunity for privilege escalation.
When the Process Optimization services execute with elevated SYSTEM privileges, they search for required libraries or modules in directories that may be writable by lower-privileged users. An authenticated attacker with standard OS user access can place a malicious library in one of these search path locations. When the service subsequently loads this attacker-controlled code, it executes with SYSTEM-level privileges.
The local attack vector requires the attacker to have authenticated access to the target system, but no user interaction is required for exploitation. The impact extends beyond the vulnerable component, affecting the confidentiality, integrity, and availability of both the local system and potentially other connected systems in the ICS environment.
Root Cause
The root cause of CVE-2025-65118 is the improper handling of search paths by the Process Optimization service when loading executable code or dynamic libraries. The service does not adequately verify that loaded components originate from trusted, protected locations. This allows lower-privileged users to inject malicious code into the execution flow of highly privileged processes.
Specifically, the vulnerability exists because:
- The service uses relative paths or unqualified names when loading libraries
- Directory permissions allow standard users to write to locations in the search path
- No integrity verification is performed on loaded components
- The service runs with SYSTEM privileges, inheriting these to any loaded code
Attack Vector
The attack vector for CVE-2025-65118 follows this general exploitation pattern:
- Reconnaissance: The attacker, having authenticated access as a standard OS user, identifies the Process Optimization service and its library loading behavior
- Path Identification: The attacker determines which directories are searched when the service loads dynamic libraries or modules
- Payload Placement: A malicious DLL or executable is placed in a writable directory that precedes legitimate library locations in the search order
- Trigger Execution: The attacker triggers the service to load the component, either by restarting the service (if permitted) or waiting for normal service operation
- Privilege Escalation: The malicious code executes with SYSTEM privileges, granting the attacker full control
The attack exploits the DLL search order hijacking technique, where Windows searches specific directories in a predictable order when loading libraries. By placing a malicious library in a directory searched before the legitimate library location, the attacker ensures their code is loaded instead.
Detection Methods for CVE-2025-65118
Indicators of Compromise
- Unexpected DLL or executable files in directories associated with AVEVA Process Optimization
- Unusual process behavior or child processes spawned from Process Optimization services
- New files created in application directories by non-administrative users
- Suspicious library loading events in Windows Security Event logs for Process Optimization processes
Detection Strategies
- Monitor file system changes in AVEVA Process Optimization installation directories using file integrity monitoring tools
- Implement application whitelisting to detect unauthorized executables loading within Process Optimization service contexts
- Configure Windows Defender Application Control (WDAC) or AppLocker policies to alert on unsigned or untrusted DLLs
- Deploy endpoint detection and response (EDR) solutions like SentinelOne to detect privilege escalation attempts and suspicious DLL loading
Monitoring Recommendations
- Enable detailed Windows Security auditing for object access and process creation events
- Configure SIEM rules to alert on new files created in Process Optimization directories by non-system accounts
- Monitor for anomalous child processes spawned by AVEVA services, particularly command interpreters or network utilities
- Implement behavioral analysis to detect privilege escalation patterns characteristic of DLL hijacking attacks
How to Mitigate CVE-2025-65118
Immediate Actions Required
- Apply the latest security patch from AVEVA immediately via the AVEVA Product Download portal
- Review and restrict write permissions on all directories in the Process Optimization service search path
- Implement application whitelisting to prevent unauthorized DLLs from loading
- Isolate affected systems from untrusted network segments until patched
Patch Information
AVEVA has released security updates to address this vulnerability. Organizations should obtain the latest patched version from the AVEVA Cyber Security Updates page. Additional technical details are available in the CISA ICS Advisory #ICSA-26-015-01.
Review the GitHub CSAF Document for machine-readable vulnerability details and remediation guidance.
Workarounds
- Restrict write access to all directories in the DLL search path to administrators only
- Implement Windows Defender Application Control policies to block unsigned or untrusted binaries from loading in service contexts
- Configure the SafeDllSearchMode registry setting to prioritize system directories in the DLL search order
- Deploy network segmentation to limit the impact of potential compromise on ICS environments
# Configuration example - Restrict directory permissions
# Identify Process Optimization installation directory and lock down permissions
icacls "C:\Program Files\AVEVA\Process Optimization" /inheritance:r /grant:r Administrators:F SYSTEM:F
icacls "C:\Program Files\AVEVA\Process Optimization" /deny "Users:(OI)(CI)(W)"
# Enable SafeDllSearchMode to prioritize system directories
reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
