Cyber Posture

CVE-2025-61943

High

Published: 16 January 2026

Published
16 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0001 1.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61943 is a high-severity SQL Injection (CWE-89) vulnerability in Aveva Process Optimization. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection exploitation by validating and sanitizing user inputs before incorporation into Captive Historian database queries.

SI-2 Flaw Remediation good match
prevent

Mitigates the vulnerability by identifying, reporting, and applying patches for the specific SQL injection flaw in Captive Historian as detailed in advisories.

AC-6 Least Privilege partial match
prevent

Limits the impact of privilege escalation from Process Optimization Standard User to SQL Server admin by enforcing least privilege on accounts and processes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

SQL injection enables local authenticated user to escalate to SQL Server admin code execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper with queries in Captive Historian and achieve code execution under SQL Server administrative privileges, potentially resulting in complete compromise of the SQL Server.

Deeper analysisAI

CVE-2025-61943, published on 2026-01-16, is a SQL injection vulnerability (CWE-89) with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N). It affects Captive Historian, where an authenticated Process Optimization Standard User can tamper with queries, leading to code execution under SQL Server administrative privileges and potential full compromise of the SQL Server instance.

The vulnerability requires local access, low attack complexity, and low privileges (PR:L) from an authenticated attacker, with no user interaction needed and a change in scope (S:C). Exploitation allows the attacker to achieve high confidentiality and integrity impacts through arbitrary code execution as a SQL Server administrator.

Advisories including CISA ICSA-26-015-01 and AVEVA support pages detail mitigations, with patches available for download from AVEVA's software support portal. Security practitioners should consult these references for specific remediation steps.

Details

CWE(s)
CWE-89

Affected Products

aveva
process optimization
≤ 2025

CVEs Like This One

CVE-2025-64691Same product: Aveva Process Optimization
CVE-2025-64729Same product: Aveva Process Optimization
CVE-2025-65118Same product: Aveva Process Optimization
CVE-2025-65117Same product: Aveva Process Optimization
CVE-2025-64769Same product: Aveva Process Optimization
CVE-2025-61937Same product: Aveva Process Optimization
CVE-2025-47954Shared CWE-89
CVE-2025-22976Shared CWE-89
CVE-2025-48650Shared CWE-89
CVE-2025-66678Shared CWE-89

References