CVE-2025-61943
published 2026-01-16CVE-2025-61943: The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper with queries in Captive Historian and…
PriorityP346high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.33%
24.5th percentile
The vulnerability, if exploited, could allow an authenticated miscreant
(Process Optimization Standard User) to tamper with queries in Captive
Historian and achieve code execution under SQL Server administrative
privileges, potentially resulting in complete compromise of the SQL
Server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aveva | process_optimization | < 2025 | 2025 |
| aveva | process_optimization | <= 2024.1 | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
AVEVA Process Optimization
cisa_ics·2026-01-15·CVSS 10.0
[CRITICAL] AVEVA Process Optimization
ICS Advisory
##
AVEVA Process Optimization
Release DateJanuary 15, 2026
Alert CodeICSA-26-015-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could enable an attacker to execute remote code, perform SQL injection, escalate privileges, or access sensitive information.
The following versions of AVEVA Process Optimization are affected:
- Process Optimization (CVE-2025-61937, CVE-2025-64691, CVE-2025-61943, CVE-2025-65118, CVE-2025-64729, CVE-2025-65117, CVE-2025-64769)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 10
| AVEVA
| AVEVA Process Optimization
| Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elem
GHSA
GHSA-wh8v-ph87-c4fh: The vulnerability, if exploited, could allow an authenticated miscreant
(Process Optimization Standard User) to tamper with queries in Captive
Histori
ghsa_unreviewed·2026-01-16
CVE-2025-61943 [CRITICAL] CWE-89 GHSA-wh8v-ph87-c4fh: The vulnerability, if exploited, could allow an authenticated miscreant
(Process Optimization Standard User) to tamper with queries in Captive
Histori
The vulnerability, if exploited, could allow an authenticated miscreant
(Process Optimization Standard User) to tamper with queries in Captive
Historian and achieve code execution under SQL Server administrative
privileges, potentially resulting in complete compromise of the SQL
Server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.jsonhttps://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68eahttps://www.aveva.com/en/support-and-success/cyber-security-updates/https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01
2026-01-16
Published