Cyber Resilience

CVE-2025-64769

High

Published: 16 January 2026

Published
16 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 7.6 CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 0.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64769 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Aveva Process Optimization. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2025-64769 is a vulnerability in the Process Optimization application suite, where connection channels and protocols are not encrypted by default. This exposes communications to potential hijacking or data leakage in man-in-the-middle attacks or passive inspection scenarios. The issue is rated with a CVSS v3.1 base score of 7.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L) and is associated with CWE-319 (Cleartext Transmission of Sensitive Information).

The vulnerability can be exploited by unauthenticated attackers (PR:N) with adjacent network access (AV:A), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows high-impact confidentiality and integrity violations, such as data interception or modification, alongside low availability impact (A:L), all within unchanged scope (S:U).

Advisories including CISA's ICSA-26-015-01 and AVEVA's software support and cyber-security updates provide details on mitigations and patches; practitioners should consult https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01, https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea, and https://www.aveva.com/en/support-and-success/cyber-security-updates/ for remediation guidance.

EU & UK References

Vulnerability details

The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Unencrypted channels (CWE-319) directly enable passive network sniffing (T1040) and active MITM interception/modification (T1557) on adjacent networks.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-61943Same product: Aveva Process Optimization
CVE-2025-61937Same product: Aveva Process Optimization
CVE-2025-65117Same product: Aveva Process Optimization
CVE-2025-64729Same product: Aveva Process Optimization
CVE-2025-64691Same product: Aveva Process Optimization
CVE-2025-65118Same product: Aveva Process Optimization
CVE-2020-36917Shared CWE-319
CVE-2026-24212Shared CWE-319
CVE-2020-36914Shared CWE-319
CVE-2026-5115Shared CWE-319

Affected Assets

aveva
process optimization
≤ 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic protection of transmitted information to prevent cleartext exposure, hijacking, and leakage on unencrypted channels.

prevent

Mandates use of approved cryptographic mechanisms to protect the confidentiality and integrity of data in transit for this exact class of exposure.

prevent

Boundary protection devices can be configured to enforce encrypted protocols and block or inspect unencrypted flows matching the CVE scenario.

References