CVE-2025-65117
Published: 16 January 2026
Summary
CVE-2025-65117 is a high-severity Use of Potentially Dangerous Function (CWE-676) vulnerability in Aveva Process Optimization. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-65117, published on 2026-01-16, is a privilege escalation vulnerability (CWE-676) with a CVSS v3.1 base score of 7.4 (AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N). It affects AVEVA Process Optimization Designer, where an authenticated Process Optimization Designer User can embed OLE objects into graphics, enabling potential privilege escalation upon victim interaction with those elements.
The attack requires local access, low complexity, high privileges (Process Optimization Designer User authentication), and user interaction from a victim. A miscreant can craft graphics containing embedded OLE objects; when a higher-privileged victim user subsequently interacts with the graphical elements, the attacker escalates to the victim's identity, achieving high impacts on confidentiality and integrity with a changed scope but no availability disruption.
Advisories including CISA ICSA-26-015-01, AVEVA cybersecurity updates, and related software support downloads provide mitigation guidance and patches for this vulnerability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2992
Vulnerability details
The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Designer User) to embed OLE objects into graphics, and escalate their privileges to the identity of a victim user who subsequently interacts with the graphical elements.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct priv esc vuln via crafted OLE-embedded graphics requiring victim interaction maps to exploitation for escalation and malicious file execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Restricts the Process Optimization Designer User role from embedding OLE objects in graphics, directly blocking the initial step of the privilege-escalation attack.
Disables or restricts unnecessary capabilities such as OLE embedding within the graphics editor, eliminating the attack vector before any victim interaction occurs.
Controls the use and execution of mobile code (OLE objects) to prevent automatic or interactive activation that would escalate privileges to the victim user.