AVEVA has disclosed seven vital and high-severity vulnerabilities in its Course of Optimization software program (previously ROMeo) that might allow attackers to execute distant code with SYSTEM privileges and fully compromise industrial management techniques.
The safety bulletin, printed on January 13, 2026, impacts AVEVA Course of Optimization model 2024.1 and all prior variations.
Essentially the most extreme vulnerability, tracked as CVE-2025-61937, earned a most CVSSv4.0 rating of 10.0 and represents an unauthenticated distant code execution flaw via the software program’s API.
Exploitation requires no person interplay and will enable attackers to achieve SYSTEM-level privileges on the “taoimr” service, doubtlessly main to finish compromise of the Mannequin Software Server.
A number of Assault Vectors Recognized
The vulnerability disclosure consists of three further critical-severity flaws with 9.3 CVSS scores.
CVE-2025-64691 allows authenticated attackers with commonplace OS person privileges to inject malicious code via TCL Macro script tampering, escalating privileges to SYSTEM stage.
CVE-2025-61943 entails SQL injection within the Captive Historian element, permitting attackers to execute code underneath SQL Server administrative privileges.
CVE-2025-65118 exploits DLL hijacking vulnerabilities, allowing privilege escalation via arbitrary code loading in Course of Optimization companies.
Three high-severity vulnerabilities spherical out the safety bulletin. CVE-2025-64729 (CVSS 8.6) allows privilege escalation via challenge file tampering attributable to lacking entry management lists.
CVE-2025-65117 (CVSS 8.5) permits authenticated designer customers to embed malicious OLE objects into graphics for privilege escalation.
CVE-2025-64769 (CVSS 7.6) exposes delicate data via unencrypted transmission channels, creating man-in-the-middle assault alternatives.
| CVE | Vulnerability Sort | CVSS Rating |
|---|---|---|
| CVE-2025-61937 | Distant Code Execution by way of API | 10.0 Vital |
| CVE-2025-64691 | Code Injection (TCL Macro) | 9.3 Vital |
| CVE-2025-61943 | SQL Injection | 9.3 Vital |
| CVE-2025-65118 | DLL Hijacking | 9.3 Vital |
| CVE-2025-64729 | Lacking Authorization | 8.6 Excessive |
| CVE-2025-65117 | Malicious OLE Objects | 8.5 Excessive |
| CVE-2025-64769 | Cleartext Transmission | 7.6 Excessive |
AVEVA recommends speedy upgrading to AVEVA Course of Optimization 2025 or increased to remediate all recognized vulnerabilities.
Organizations unable to use patches instantly ought to implement non permanent defensive measures together with firewall guidelines proscribing the taoimr service to trusted sources on ports 8888/8889, entry management lists limiting write entry to set up directories, and sustaining strict chain-of-custody protocols for challenge recordsdata.
The vulnerabilities had been found by safety researcher Christopher Wu from Veracode throughout an AVEVA-sponsored penetration testing engagement, with CISA offering coordination for advisory publication and CVE task.
Comply with us on Google Information, LinkedIn, and X to Get Instantaneous Updates ancd Set GBH as a Most well-liked Supply in Google.
