Critical AVEVA Flaws Allow Remote Code Execution with
On January 13, 2026, seven vulnerabilities were disclosed in AVEVA’s Process Optimization (formerly ROMeo) 2024.1 and earlier versions. Crucially, these flaws include a critical vulnerability...
On January 13, 2026, seven vulnerabilities were disclosed in AVEVA’s Process Optimization (formerly ROMeo) 2024.1 and earlier versions. Crucially, these flaws include a critical vulnerability that permits unauthenticated SYSTEM-level remote code execution.
The most severe vulnerability enables unauthenticated attackers to achieve remote code execution under system privileges, posing an immediate risk to industrial process control environments worldwide.
The primary threat stems from a critical code injection vulnerability in the application’s API layer. An unauthenticated attacker can exploit this flaw to execute arbitrary code with full system privileges on the “taoimr” service.
Potentially compromising the entire Model Application Server and connected infrastructure.
Vulnerability Summary
This attack requires no user interaction, is low-complexity, and can be executed remotely over the network, making it exceptionally dangerous for organizations running vulnerable versions.
Additional severe vulnerabilities include code injection via macro functionality that allows authenticated users to escalate from standard OS user to system-level privileges.
| CVE ID | Type | CVSS v4.0 | Severity | Impact |
|---|---|---|---|---|
| CVE-2025-61937 | Remote Code Execution (API) | 10.0 | Critical | Unauthenticated RCE under system privileges |
| CVE-2025-64691 | Code Injection (Macros) | 9.3 | Critical | Privilege escalation via TCL scripts |
| CVE-2025-61943 | SQL Injection | 9.3 | Critical | SQL Server admin code execution |
| CVE-2025-65118 | DLL Hijacking | 9.3 | Critical | System privilege escalation |
| CVE-2025-64729 | Missing ACLs | 8.6 | High | Project file tampering & privilege escalation |
| CVE-2025-65117 | Embedded OLE Objects | 8.5 | High | Malicious content delivery |
| CVE-2025-64769 | Cleartext Transmission | 7.6 | High | Data interception via Man-in-the-Middle |
SQL injection flaws in the Captive Historian component that grant attackers SQL Server administrative access.
A DLL hijacking vulnerability enables authenticated users to load arbitrary code and elevate their privileges to system-level.
These attack vectors collectively demonstrate sophisticated exploitation pathways that could completely compromise affected systems.
AVEVA recommends immediate action: organizations should upgrade to AVEVA Process Optimization 2025 or higher to patch all identified vulnerabilities.
As an interim defensive measure, administrators should implement network firewall rules restricting the taoimr service (default ports 8888/8889) to trusted sources only.
Apply strict access control lists to installation and data folders, and maintain rigorous change management for project files.
The vulnerabilities were discovered during a planned penetration test by Veracode security researcher Christopher Wu and coordinated with CISA.
Organizations operating AVEVA Process Optimization environments should prioritize patching immediately to prevent exploitation of these critical flaws in their industrial control systems infrastructure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.