The flaws affect all versions through 2024.1 and enable attackers to execute remote code with SYSTEM-level privileges without authentication.
The most severe flaw, CVE-2025-61937, achieved a CVSS score of 10.0, the maximum severity rating, through an unauthenticated API-based remote code execution vulnerability.
Exploitation requires no user interaction, allowing attackers to gain SYSTEM privileges on the “taoimr” service and completely compromise the Model Application Server.
This vector represents an immediate, actionable threat to operational technology environments globally.
Three additional critical vulnerabilities, each with a CVSS score of 9.3. CVE-2025-64691 allows authenticated attackers with standard OS privileges to inject malicious TCL Macro scripts, escalating to SYSTEM level.
CVE-2025-61943 exploits an SQL injection vulnerability in the Captive Historian component, enabling code execution with SQL Server administrative privileges.
CVE-2025-65118 leverages DLL hijacking to achieve privilege escalation through arbitrary code loading in Process Optimization services.
Three high-severity flaws create secondary attack surfaces. CVE-2025-64729 (CVSS 8.6) enables privilege escalation via tampering with project files due to missing access control lists.
CVE-2025-65117 (CVSS 8.5) allows authenticated designer users to embed malicious OLE objects into graphics to escalate privileges.
CVE-2025-64769 (CVSS 7.6) exposes sensitive information through unencrypted channels, creating opportunities for man-in-the-middle attacks.
| CVE | Vulnerability Type | CVSS Score | Severity |
|---|---|---|---|
| CVE-2025-61937 | Remote Code Execution via API | 10.0 | Critical |
| CVE-2025-64691 | Code Injection (TCL Macro) | 9.3 | Critical |
| CVE-2025-61943 | SQL Injection | 9.3 | Critical |
| CVE-2025-65118 | DLL Hijacking | 9.3 | Critical |
| CVE-2025-64729 | Missing Authorization | 8.6 | High |
| CVE-2025-65117 | Malicious OLE Objects | 8.5 | High |
| CVE-2025-64769 | Cleartext Transmission | 7.6 | High |
AVEVA recommends upgrading to Process Optimization 2025 or later immediately. Organizations unable to apply patches immediately should implement temporary defensive measures: restrict the taoimr service to trusted sources on ports 8888/8889 via firewall rules, implement access control lists limiting write access to installation directories, and maintain strict chain-of-custody protocols for project files.
The vulnerabilities were discovered by security researcher Christopher Wu from Veracode during an AVEVA-sponsored penetration testing engagement.
CISA coordinated the advisory publication and CVE assignment, indicating a validated severity assessment.
Industrial organizations running Process Optimization should prioritize patching within 24-48 hours due to the maximum-severity unauthenticated RCE vector and ease of exploitation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Critical AVEVA Software Vulnerabilities Enable SYSTEM-Level Remote Code Execution appeared first on Cyber Security News.
A new macOS malware called notnullOSX has surfaced in early 2026, specifically built to steal…
A new macOS malware called notnullOSX has surfaced in early 2026, specifically built to steal…
A new malware campaign is tricking traders into downloading a data-stealing tool by impersonating the…
A new malware campaign is tricking traders into downloading a data-stealing tool by impersonating the…
A nation-state-linked hacking group has found a clever way to hide its malicious activity inside…
Upper Merion Township in the Philadelphia suburbs is no stranger to development. During the holiday…
This website uses cookies.