CVE-2025-64769
Published: 16 January 2026
Summary
CVE-2025-64769 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Aveva Process Optimization. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2025-64769 is a vulnerability in the Process Optimization application suite, where connection channels and protocols are not encrypted by default. This exposes communications to potential hijacking or data leakage in man-in-the-middle attacks or passive inspection scenarios. The issue is rated with a CVSS v3.1 base score of 7.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L) and is associated with CWE-319 (Cleartext Transmission of Sensitive Information).
The vulnerability can be exploited by unauthenticated attackers (PR:N) with adjacent network access (AV:A), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows high-impact confidentiality and integrity violations, such as data interception or modification, alongside low availability impact (A:L), all within unchanged scope (S:U).
Advisories including CISA's ICSA-26-015-01 and AVEVA's software support and cyber-security updates provide details on mitigations and patches; practitioners should consult https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01, https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea, and https://www.aveva.com/en/support-and-success/cyber-security-updates/ for remediation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2989
Vulnerability details
The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unencrypted channels (CWE-319) directly enable passive network sniffing (T1040) and active MITM interception/modification (T1557) on adjacent networks.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic protection of transmitted information to prevent cleartext exposure, hijacking, and leakage on unencrypted channels.
Mandates use of approved cryptographic mechanisms to protect the confidentiality and integrity of data in transit for this exact class of exposure.
Boundary protection devices can be configured to enforce encrypted protocols and block or inspect unencrypted flows matching the CVE scenario.