CVE-2025-64729

High

Published: 16 January 2026

Published

16 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

EPSS Score 0.0001 0.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64729 is a high-severity Missing Authorization (CWE-862) vulnerability in Aveva Process Optimization. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly mitigates CWE-862 missing authorization by enforcing logical access controls to prevent authenticated standard users from tampering with Process Optimization project files.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict OS standard users from modifying project files, blocking the tampering that enables code embedding and privilege escalation.

CM-5 Access Restrictions for Change good match

prevent

Limits change access to project files to authorized users or roles, preventing unauthorized modifications that lead to embedded code execution and victim privilege escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Missing authorization allows low-priv local user to modify project files and embed executable code; victims opening the files trigger code execution, directly enabling local privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files.

Deeper analysisAI

CVE-2025-64729, published on 2026-01-16, is a high-severity vulnerability (CVSS v3.1 score of 8.1: AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L) tied to CWE-862 (Missing Authorization) in AVEVA Process Optimization software. It enables an authenticated OS standard user to tamper with project files, embed code within them, and potentially leverage this for privilege escalation against users who interact with the modified files.

The attack requires local access and low-privilege authentication as an OS standard user, with low complexity but user interaction from a victim. An exploiter can modify Process Optimization project files to include embedded code, allowing privilege escalation to the identity of any victim user who subsequently opens or processes those files, resulting in high confidentiality and integrity impacts alongside changed scope.

CISA ICS Advisory ICSA-26-015-01, along with AVEVA's software support downloads and cyber-security updates page, detail patches and mitigation guidance. A corresponding CSAF JSON file is available via the CISAgov GitHub repository.