AVEVA Process Optimization Vulnerabilities
Take action: Make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Update to AVEVA Process Optimization v2025 immediately and restrict ports 8888 and 8889 to trusted sources.
Learn More
CISA warns of seven flaws in AVEVA Process Optimization software, that allow attackers to take over servers or steal data. One of the flaws is a perfect 10 severity. Attackers can exploit these issues to run code, move through networks, or gain higher system rights.
Vulnerabilities summary:
- CVE-2025-61937 (CVSS score 10.0) lets unauthenticated attackers run code with system privileges by targeting the "taoimr" service. This can lead to a total takeover of the Model Application Server.
- CVE-2025-64691 (CVSS score 8.8) - Privilege escalation via TCL Macro scripts.
- CVE-2025-65118 (CVSS score 8.8) - Uncontrolled search path for privilege escalation.
- CVE-2025-61943 (CVSS score 8.4) - SQL injection in Captive Historian for code execution.
- CVE-2025-64729 (CVSS score 8.1) - Missing authorization in project files.
- CVE-2025-65117 (CVSS score 7.4) - Use of dangerous functions via OLE objects.
- CVE-2025-64769 (CVSS score 7.1) - Cleartext transmission of sensitive information.
These vulnerabilities affect versions 2024.1 and earlier.
AVEVA recommends updating to version 2025 immediately. If you cannot update, use firewalls to block ports 8888 and 8889 from untrusted sources. Limit folder access with ACLs and ensure project files come from trusted sources. CISA also suggests keeping control networks behind firewalls and using VPNs for remote access.
