---
title: "Critical AVEVA Process Optimization Flaws Allow Remote Code Execution"
short_title: "AVEVA Process Optimization critical vulnerabilities"
description: "Seven critical vulnerabilities in AVEVA Process Optimization enable remote code execution, SQL injection, and privilege escalation. Update to v2025 or apply mitigations now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [aveva, cve-2025, rce, sql-injection, critical-infrastructure]
score: 0.92
cve_ids: [CVE-2025-61937, CVE-2025-64691, CVE-2025-61943, CVE-2025-65118, CVE-2025-64729, CVE-2025-65117, CVE-2025-64769]
---
TL;DR
Seven critical vulnerabilities in AVEVA Process Optimization (versions ≤2024.1) could allow attackers to execute remote code, perform SQL injection, escalate privileges, or access sensitive information. AVEVA has released v2025 to patch these flaws, along with mitigation steps for organizations unable to update immediately. Immediate action is recommended for all affected users.
---
Main Content
Introduction
AVEVA, a global leader in industrial software, has disclosed seven critical vulnerabilities in its Process Optimization suite, a widely used solution in critical manufacturing sectors. These flaws, if exploited, could enable threat actors to execute remote code execution (RCE), perform SQL injection, escalate privileges, or intercept sensitive data. Given the software’s deployment in critical infrastructure, these vulnerabilities pose significant risks to operational security and continuity.
---
Key Points
- Seven vulnerabilities affect AVEVA Process Optimization versions ≤2024.1, with CVSS scores ranging from 7.1 to 10.0.
- Exploitation could lead to remote code execution, SQL injection, privilege escalation, and data leakage.
- Critical manufacturing sectors worldwide are at risk, as the software is deployed globally.
- AVEVA has released v2025 to patch these vulnerabilities, along with mitigation strategies for organizations unable to update immediately.
- No known public exploitation has been reported to CISA as of this advisory.
---
Technical Details
#### Vulnerabilities Overview
The vulnerabilities affect AVEVA Process Optimization and are categorized as follows:
| CVE ID | Type | CVSS Score | Severity | Impact |
|------------------|-----------------------------------------------|----------------|--------------|------------------------------------------------------------------------------------------------|
| CVE-2025-61937 | Code Injection | 10.0 | Critical | Remote code execution under OS System privileges. |
| CVE-2025-64691 | Code Injection | 8.8 | High | Privilege escalation to OS System via TCL Macro scripts. |
| CVE-2025-61943 | SQL Injection | 8.4 | High | Code execution under SQL Server administrative privileges. |
| CVE-2025-65118 | Uncontrolled Search Path Element | 8.8 | High | Privilege escalation to OS System via arbitrary code loading. |
| CVE-2025-64729 | Missing Authorization | 8.1 | High | Privilege escalation via tampered project files. |
| CVE-2025-65117 | Use of Potentially Dangerous Function | 7.4 | High | Privilege escalation via embedded OLE objects in graphics. |
| CVE-2025-64769 | Cleartext Transmission of Sensitive Information | 7.1 | High | Data interception or hijacking via unencrypted connection channels. |
---
#### Attack Vector
1. Remote Code Execution (CVE-2025-61937)
- An unauthenticated attacker can exploit this flaw to execute arbitrary code under the OS System privileges of the `taoimr` service, leading to a complete compromise of the Model Application Server.
2. SQL Injection (CVE-2025-61943)
- An authenticated attacker with standard user privileges can tamper with queries in Captive Historian, escalating privileges to SQL Server administrative level and compromising the entire SQL Server.
3. Privilege Escalation (CVE-2025-64691, CVE-2025-65118, CVE-2025-64729, CVE-2025-65117)
- Attackers with standard OS or Process Optimization user privileges can escalate their access to OS System or victim user identities by tampering with TCL Macro scripts, project files, or graphical elements.
4. Data Leakage (CVE-2025-64769)
- The software’s unencrypted connection channels could allow man-in-the-middle (MITM) attacks, leading to data interception or hijacking.
---
#### Affected Systems
- AVEVA Process Optimization versions ≤2024.1.
- Deployed in critical manufacturing sectors worldwide.
- Default ports: 8888/8889 (TLS).
---
Impact Assessment
The vulnerabilities pose severe risks to organizations using AVEVA Process Optimization, particularly those in critical infrastructure sectors. Successful exploitation could result in:
- Complete compromise of the Model Application Server or SQL Server.
- Unauthorized access to sensitive industrial data.
- Disruption of critical manufacturing processes, leading to operational downtime.
- Lateral movement within networks, enabling attackers to target additional systems.
Given the global deployment of AVEVA’s software, these flaws could have far-reaching consequences for industries relying on process optimization technologies.
---
Mitigation Steps
AVEVA has provided the following remediation and mitigation strategies:
#### Primary Remediation
- Update to AVEVA Process Optimization v2025 immediately to patch all vulnerabilities.
#### Alternative Mitigations
1. Network Restrictions
- Apply host and/or network firewall rules to restrict the `taoimr` service to trusted sources only.
- Refer to the [AVEVA Process Optimization Installation Guide](https://www.aveva.com) for port configuration details.
2. Access Control Lists (ACLs)
- Apply ACLs to installation and data folders, limiting write-access to trusted users only.
3. Chain-of-Custody
- Maintain a trusted chain-of-custody for Process Optimization project files during creation, modification, distribution, backups, and use.
4. Additional Guidance
- Refer to AVEVA’s security bulletin [AVEVA-2026-001](https://www.aveva.com) for further details.
---
#### CISA-Recommended Practices
The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following defensive measures:
- Minimize network exposure for control system devices, ensuring they are not accessible from the internet.
- Isolate control system networks behind firewalls and separate them from business networks.
- Use secure remote access methods, such as Virtual Private Networks (VPNs), and ensure they are updated to the latest version.
- Perform impact analysis and risk assessment before deploying defensive measures.
- Refer to CISA’s [ICS webpage](https://www.cisa.gov/ics) for control systems security best practices.
---
Conclusion
The discovery of seven critical vulnerabilities in AVEVA Process Optimization underscores the growing cybersecurity risks facing industrial software and critical infrastructure. Organizations using affected versions must act immediately to update to v2025 or implement the recommended mitigations to prevent exploitation.
Given the potential for remote code execution, privilege escalation, and data leakage, these vulnerabilities could serve as entry points for sophisticated cyberattacks on critical manufacturing sectors. Proactive measures, such as network segmentation, access controls, and regular updates, are essential to safeguarding industrial operations.
For more details, refer to the [CISA advisory](https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01) and AVEVA’s security bulletin [AVEVA-2026-001](https://www.aveva.com).
---
References
[^1]: CISA. "[ICS Advisory (ICSA-26-015-01) AVEVA Process Optimization](https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01)". Retrieved 2025-01-24.
[^2]: AVEVA. "[Security Bulletin AVEVA-2026-001](https://www.aveva.com)". Retrieved 2025-01-24.
[^3]: MITRE. "[CWE-94: Improper Control of Generation of Code ('Code Injection')](https://cwe.mitre.org/data/definitions/94.html)". Retrieved 2025-01-24.
[^4]: MITRE. "[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](https://cwe.mitre.org/data/definitions/89.html)". Retrieved 2025-01-24.