Industrial Alert: Critical RCE in AVEVA Software Rated CVSS 10

AVEVA, a global leader in industrial software, has issued a critical security bulletin regarding its flagship Process Optimization software (formerly known as ROMeo). The alert details multiple vulnerabilities, including a maximum 10 severity flaw that could allow attackers to seize complete control of industrial modeling servers without ever needing to log in.

The most alarming discovery in the bulletin is CVE-2025-61937, a Remote Code Execution (RCE) vulnerability that has been assigned the maximum possible CVSS v4.0 score of 10.0. This flaw resides in the application’s API and poses a severe threat to organizations running “AVEVA Process Optimization (formerly ROMeo) 2024.1 and all prior versions”.

Unlike many vulnerabilities that require an attacker to trick a user or steal credentials first, this flaw creates an open door for any attacker with network access. According to the security bulletin:

“The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS System privileges of ‘taoimr’ service, potentially resulting in complete compromise of the Model Application Server.”

The bulletin highlights several vulnerabilities that allow “standard users”—such as employees with low-level access—to elevate their privileges and take over the system.

1. Macro Manipulation (CVE-2025-64691) This critical flaw (CVSS 9.3) allows authenticated users to tamper with TCL Macro scripts. “The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with TCL Macro scripts and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server.”
2. SQL Injection (CVE-2025-61943, CVSS 9.3) Attackers can also target the Captive Historian component to gain administrative control over the SQL Server. “The vulnerability, if exploited, could allow an authenticated miscreant… to tamper with queries in Captive Historian and achieve code execution under SQL Server administrative privileges.”
3. DLL Hijacking (CVE-2025-65118, CVSS 9.3) By tricking services into loading malicious code libraries, attackers can escalate their access to the system level. “The vulnerability, if exploited, could allow an authenticated miscreant… to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System.”

The report also warns of cleartext transmission risks (CVE-2025-64769), where unencrypted channels could allow attackers to intercept sensitive data via Man-in-the-Middle attacks. Furthermore, vulnerabilities involving OLE objects (CVE-2025-65117) and missing access controls (CVE-2025-64729) allow attackers to embed malicious content into project files or graphics, effectively setting traps for other users.

The vulnerabilities affect AVEVA Process Optimization 2024.1 and all prior versions. AVEVA advises customers to upgrade immediately to AVEVA Process Optimization 2025 or higher to fix these issues.

For organizations unable to patch immediately, AVEVA recommends strict temporary defensive measures:

• Restrict Traffic: Apply firewall rules to limit the ‘taoimr’ service to trusted sources only.
• Lock Down Folders: Apply Access Control Lists (ACLs) to installation and data folders to prevent unauthorized write access.
• Secure Project Files: Maintain a trusted “chain-of-custody” for all project files to prevent tampering.

Related Posts:

• Google opens Pixel Visual Core camera optimization technology to third-party apps
• NVIDIA Extends Windows 10 Driver Support to October 2026, Offering Gamers a One-Year Reprieve
• Linux Kernel 6.16 Released: Boosting Hardware Support, Filesystems, & Networking