CVE-2025-65118

HIGH

Aveva Process Optimization < 2025 - Uncontrolled Search Path

Title source: rule

Description

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server.

References (4)

[Third Party Advisory] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json

View Writeup ZIP pw:eip

[Permissions Required] https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea

[Vendor Advisory] https://www.aveva.com/en/support-and-success/cyber-security-updates/

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01

Scores

CVSS v3 8.8

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-427

Status published

Products (1)

aveva/process_optimization < 2025

Published Jan 16, 2026

Tracked Since Feb 18, 2026