CVE-2025-65118

HIGH

Aveva Process Optimization < 2025 - Uncontrolled Search Path

Title source: rule

Description

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server.

References (4)

[Third Party Advisory] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json

View Writeup ZIP pw:eip

[Permissions Required] https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea

[Vendor Advisory] https://www.aveva.com/en/support-and-success/cyber-security-updates/

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01

Scores

CVSS v3 8.8

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-427

Status published

Affected Products (1)

aveva/process_optimization < 2025

Timeline

Published Jan 16, 2026

Tracked Since Feb 18, 2026