AVEVA has disclosed seven crucial and high-severity vulnerabilities in its Course of Optimization software program (previously ROMeo) that would allow attackers to execute distant code with SYSTEM privileges and fully compromise industrial management programs.
The safety bulletin, revealed on January 13, 2026, impacts AVEVA Course of Optimization model 2024.1 and all prior variations.
Essentially the most extreme vulnerability, tracked as CVE-2025-61937, earned a most CVSSv4.0 rating of 10.0 and represents an unauthenticated distant code execution flaw by way of the software program’s API.
Exploitation requires no person interplay and will enable attackers to realize SYSTEM-level privileges on the “taoimr” service, doubtlessly main to finish compromise of the Mannequin Software Server.
A number of Assault Vectors Recognized
The vulnerability disclosure consists of three extra critical-severity flaws with 9.3 CVSS scores.
CVE-2025-64691 permits authenticated attackers with customary OS person privileges to inject malicious code by way of TCL Macro script tampering, escalating privileges to SYSTEM degree.
CVE-2025-61943 includes SQL injection within the Captive Historian part, permitting attackers to execute code below SQL Server administrative privileges.
CVE-2025-65118 exploits DLL hijacking vulnerabilities, allowing privilege escalation by way of arbitrary code loading in Course of Optimization providers.
Three high-severity vulnerabilities spherical out the safety bulletin. CVE-2025-64729 (CVSS 8.6) permits privilege escalation by way of challenge file tampering as a result of lacking entry management lists.
CVE-2025-65117 (CVSS 8.5) permits authenticated designer customers to embed malicious OLE objects into graphics for privilege escalation.
CVE-2025-64769 (CVSS 7.6) exposes delicate data by way of unencrypted transmission channels, creating man-in-the-middle assault alternatives.
| CVE | Vulnerability Kind | CVSS Rating |
|---|---|---|
| CVE-2025-61937 | Distant Code Execution through API | 10.0 Crucial |
| CVE-2025-64691 | Code Injection (TCL Macro) | 9.3 Crucial |
| CVE-2025-61943 | SQL Injection | 9.3 Crucial |
| CVE-2025-65118 | DLL Hijacking | 9.3 Crucial |
| CVE-2025-64729 | Lacking Authorization | 8.6 Excessive |
| CVE-2025-65117 | Malicious OLE Objects | 8.5 Excessive |
| CVE-2025-64769 | Cleartext Transmission | 7.6 Excessive |
AVEVA recommends quick upgrading to AVEVA Course of Optimization 2025 or greater to remediate all recognized vulnerabilities.
Organizations unable to use patches instantly ought to implement non permanent defensive measures together with firewall guidelines limiting the taoimr service to trusted sources on ports 8888/8889, entry management lists limiting write entry to set up directories, and sustaining strict chain-of-custody protocols for challenge recordsdata.
The vulnerabilities had been found by safety researcher Christopher Wu from Veracode throughout an AVEVA-sponsored penetration testing engagement, with CISA offering coordination for advisory publication and CVE project.
Comply with us on Google Information, LinkedIn, and X to Get Prompt Updates ancd Set GBH as a Most well-liked Supply in Google.
