Cyber Resilience

CVE-2025-64729

High

Published: 16 January 2026

Published
16 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 6.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-64729 is a high-severity Missing Authorization (CWE-862) vulnerability in Aveva Process Optimization. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-64729, published on 2026-01-16, is a high-severity vulnerability (CVSS v3.1 score of 8.1: AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L) tied to CWE-862 (Missing Authorization) in AVEVA Process Optimization software. It enables an authenticated OS standard user to tamper with project files, embed code within them, and potentially leverage this for privilege escalation against users who interact with the modified files.

The attack requires local access and low-privilege authentication as an OS standard user, with low complexity but user interaction from a victim. An exploiter can modify Process Optimization project files to include embedded code, allowing privilege escalation to the identity of any victim user who subsequently opens or processes those files, resulting in high confidentiality and integrity impacts alongside changed scope.

CISA ICS Advisory ICSA-26-015-01, along with AVEVA's software support downloads and cyber-security updates page, detail patches and mitigation guidance. A corresponding CSAF JSON file is available via the CISAgov GitHub repository.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Missing authorization allows low-priv local user to modify project files and embed executable code; victims opening the files trigger code execution, directly enabling local privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-65117Same product: Aveva Process Optimization
CVE-2025-64691Same product: Aveva Process Optimization
CVE-2025-61943Same product: Aveva Process Optimization
CVE-2025-65118Same product: Aveva Process Optimization
CVE-2025-64769Same product: Aveva Process Optimization
CVE-2025-61937Same product: Aveva Process Optimization
CVE-2026-32658Shared CWE-862
CVE-2026-6506Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2025-21396Shared CWE-862

Affected Assets

aveva
process optimization
≤ 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CWE-862 missing authorization by enforcing logical access controls to prevent authenticated standard users from tampering with Process Optimization project files.

prevent

Enforces least privilege to restrict OS standard users from modifying project files, blocking the tampering that enables code embedding and privilege escalation.

prevent

Limits change access to project files to authorized users or roles, preventing unauthorized modifications that lead to embedded code execution and victim privilege escalation.

References