AVEVA has disclosed seven critical and high-severity vulnerabilities in its Process Optimization software (formerly ROMeo) that could enable attackers to execute remote code with SYSTEM privileges and completely compromise industrial control systems.
The security bulletin, published on January 13, 2026, affects AVEVA Process Optimization version 2024.1 and all prior versions.
The most severe vulnerability, tracked as CVE-2025-61937, earned a maximum CVSSv4.0 score of 10.0 and represents an unauthenticated remote code execution flaw through the software’s API.
Exploitation requires no user interaction and could allow attackers to gain SYSTEM-level privileges on the “taoimr” service, potentially leading to complete compromise of the Model Application Server.
Multiple Attack Vectors Identified
The vulnerability disclosure includes three additional critical-severity flaws with 9.3 CVSS scores.
CVE-2025-64691 enables authenticated attackers with standard OS user privileges to inject malicious code through TCL Macro script tampering, escalating privileges to SYSTEM level.
CVE-2025-61943 involves SQL injection in the Captive Historian component, allowing attackers to execute code under SQL Server administrative privileges.
CVE-2025-65118 exploits DLL hijacking vulnerabilities, permitting privilege escalation through arbitrary code loading in Process Optimization services.
Three high-severity vulnerabilities round out the security bulletin. CVE-2025-64729 (CVSS 8.6) enables privilege escalation through project file tampering due to missing access control lists.
CVE-2025-65117 (CVSS 8.5) allows authenticated designer users to embed malicious OLE objects into graphics for privilege escalation.
CVE-2025-64769 (CVSS 7.6) exposes sensitive information through unencrypted transmission channels, creating man-in-the-middle attack opportunities.
| CVE | Vulnerability Type | CVSS Score |
|---|---|---|
| CVE-2025-61937 | Remote Code Execution via API | 10.0 Critical |
| CVE-2025-64691 | Code Injection (TCL Macro) | 9.3 Critical |
| CVE-2025-61943 | SQL Injection | 9.3 Critical |
| CVE-2025-65118 | DLL Hijacking | 9.3 Critical |
| CVE-2025-64729 | Missing Authorization | 8.6 High |
| CVE-2025-65117 | Malicious OLE Objects | 8.5 High |
| CVE-2025-64769 | Cleartext Transmission | 7.6 High |
AVEVA recommends immediate upgrading to AVEVA Process Optimization 2025 or higher to remediate all identified vulnerabilities.
Organizations unable to apply patches immediately should implement temporary defensive measures including firewall rules restricting the taoimr service to trusted sources on ports 8888/8889, access control lists limiting write access to installation directories, and maintaining strict chain-of-custody protocols for project files.
The vulnerabilities were discovered by security researcher Christopher Wu from Veracode during an AVEVA-sponsored penetration testing engagement, with CISA providing coordination for advisory publication and CVE assignment.
Follow us on Google News, LinkedIn, and X to Get Instant Updates ancd Set GBH as a Preferred Source in Google.