Critical

Privilege Escalation via TCL Macro Script Code Injection in AVEVA Process Optimization

IdentifiersCVE-2025-64691CWE-94· Improper Control of Generation of…

CVE-2025-64691 is a code injection vulnerability in AVEVA Process Optimization affecting versions 2024.1 and earlier. The flaw allows an authenticated attacker with OS standard user privileges to tamper with TCL Macro scripts. By modifying these macro scripts, the attacker can trigger execution in a higher-privileged context and escalate privileges to OS SYSTEM on the Model Application Server. The issue is classified as CWE-94 and is described by the vendor/CISA as capable of leading to complete compromise of the Model Application Server.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows local privilege escalation from an authenticated low-privileged OS account to OS SYSTEM. Because the vulnerable path involves tampering with TCL Macro scripts used by AVEVA Process Optimization, exploitation can result in high-impact compromise of confidentiality, integrity, and availability on the Model Application Server, up to and including complete server compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, apply strict ACLs to AVEVA Process Optimization installation and data folders so only trusted users can modify macro scripts and related application content. Limit local OS access to trusted administrators and operators, and maintain a trusted chain-of-custody for Process Optimization project files and associated content during creation, modification, distribution, backup, and use. More general CISA guidance also recommends minimizing exposure of control system assets and restricting access to trusted networks and users.

Remediation

Patch, then assume compromise.

AVEVA’s recommended remediation for the vulnerabilities in this advisory is to upgrade AVEVA Process Optimization to version 2025. The affected versions are 2024.1 and earlier.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AnyModel Application Serverapplication

AvevaProcess Optimizationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

the hacker newsNews

Jan 26, 2026

⚡ Weekly Recap: Firewall Flaws, AI-Built Malware, Browser Traps, Critical CVEs & More

Unknown

cyber security newsNews

Jan 20, 2026

Critical AVEVA Software Vulnerabilities Enables Remote Code Execution Under System Privileges

An authenticated code injection vulnerability in macro functionality enabling privilege escalation to SYSTEM (via TCL scripts).

cvefeed high severityNews

May 31, 2026

CVE-2025-64691 - AVEVA Process Optimization Code Injection

A privilege escalation vulnerability that allows an authenticated OS standard user to tamper with TCL Macro scripts and escalate privileges to OS system, potentially leading to complete compromise of the model application server.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-64691

NVD

nvd.nist.gov/vuln/detail/CVE-2025-64691

MITRE CWE · CWE-94

Improper Control of Generation of Code ('Code…

Vendor Advisory

aveva.com/en/support-and-success/cyber-security-updates

Third Party Advisory

github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json

Third Party Advisory

cisa.gov/news-events/ics-advisories/icsa-26-015-01

Permissions Required

softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea