{"id":9992,"date":"2026-01-20T10:03:43","date_gmt":"2026-01-20T10:03:43","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/20\/critical-aveva-software-vulnerabilities-enables-remote-code-execution-under-system-privileges\/"},"modified":"2026-01-20T10:03:43","modified_gmt":"2026-01-20T10:03:43","slug":"critical-aveva-software-vulnerabilities-enables-remote-code-execution-under-system-privileges","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/20\/critical-aveva-software-vulnerabilities-enables-remote-code-execution-under-system-privileges\/","title":{"rendered":"Critical AVEVA Software Vulnerabilities Enables Remote Code Execution Under System Privileges"},"content":{"rendered":"

Critical AVEVA Software Vulnerabilities Enables Remote Code Execution Under System Privileges
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Seven vulnerabilities were disclosed in Process Optimization (formerly ROMeo) 2024.1 and earlier on January 13, 2026, including a critical flaw enabling unauthenticated SYSTEM-level<\/a> remote code execution.<\/p>\n

The most severe vulnerability enables unauthenticated attackers to achieve remote code execution under system privileges, posing an immediate risk to industrial process control environments worldwide.\u200b<\/p>\n

The primary threat stems from a critical code injection vulnerability in the application\u2019s API layer<\/a>. An unauthenticated attacker can exploit this flaw to execute arbitrary code with full system privileges on the \u201ctaoimr\u201d service.<\/p>\n

Potentially compromising the entire Model Application Server and connected infrastructure.<\/p>\n

Vulnerability Summary<\/strong><\/h2>\n

This attack requires no user interaction, is low-complexity, and can be executed remotely over the network, making it exceptionally dangerous for organizations running vulnerable versions.\u200b<\/p>\n

Additional severe vulnerabilities include code injection<\/a> via macro functionality that allows authenticated users to escalate from standard OS user to system-level privileges.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n
CVE ID<\/th>\nType<\/th>\nCVSS v4.0<\/th>\nSeverity<\/th>\nImpact<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-61937<\/td>\nRemote Code Execution (API)<\/td>\n10.0<\/td>\nCritical<\/td>\nUnauthenticated RCE under system privileges<\/td>\n<\/tr>\n
CVE-2025-64691<\/td>\nCode Injection (Macros)<\/td>\n9.3<\/td>\nCritical<\/td>\nPrivilege escalation via TCL scripts<\/td>\n<\/tr>\n
CVE-2025-61943<\/td>\nSQL Injection<\/a><\/td>\n9.3<\/td>\nCritical<\/td>\nSQL Server admin code execution<\/td>\n<\/tr>\n
CVE-2025-65118<\/td>\nDLL Hijacking<\/td>\n9.3<\/td>\nCritical<\/td>\nSystem privilege escalation<\/td>\n<\/tr>\n
CVE-2025-64729<\/td>\nMissing ACLs<\/td>\n8.6<\/td>\nHigh<\/td>\nProject file tampering & privilege escalation<\/td>\n<\/tr>\n
CVE-2025-65117<\/td>\nEmbedded OLE Objects<\/td>\n8.5<\/td>\nHigh<\/td>\nMalicious content delivery<\/td>\n<\/tr>\n
CVE-2025-64769<\/td>\nCleartext Transmission<\/td>\n7.6<\/td>\nHigh<\/td>\nData interception via Man-in-the-Middle<\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

SQL injection flaws in the Captive Historian component that grant attackers SQL Server administrative access.<\/p>\n

A DLL hijacking<\/a> vulnerability enables authenticated users to load arbitrary code and elevate their privileges to system-level.<\/p>\n

These attack vectors collectively demonstrate sophisticated exploitation pathways that could completely compromise affected systems.\u200b<\/p>\n

AVEVA recommends<\/a> immediate action: organizations should upgrade to AVEVA Process Optimization 2025 or higher to patch all identified vulnerabilities.<\/p>\n

As an interim defensive measure, administrators should implement network firewall rules<\/a> restricting the taoimr service (default ports 8888\/8889) to trusted sources only.<\/p>\n

Apply strict access control lists to installation and data folders, and maintain rigorous change management for project files.<\/p>\n

The vulnerabilities were discovered during a planned penetration test<\/a> by Veracode security researcher Christopher Wu and coordinated with CISA.\u200b<\/p>\n

Organizations operating AVEVA Process Optimization environments should prioritize patching<\/a> immediately to prevent exploitation of these critical flaws in their industrial control systems infrastructure.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Critical AVEVA Software Vulnerabilities Enables Remote Code Execution Under System Privileges<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Critical AVEVA Software Vulnerabilities Enables Remote Code Execution Under System Privileges Seven vulnerabilities were disclosed in Process Optimization (formerly ROMeo) 2024.1 and earlier on January 13, 2026, including a critical flaw enabling unauthenticated SYSTEM-level remote code execution. The most severe vulnerability enables unauthenticated attackers to achieve remote code execution under system privileges, posing an immediate […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2015,129,63,416],"tags":[130],"class_list":["post-9992","post","type-post","status-publish","format-standard","hentry","category-cve-vulnerabilities","category-cyber-security","category-cyber-security-news","category-vulnerabilities","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9992"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9992"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9992\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}