CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-61937

CVSS 10.0v4.0pub. 2026-01-16upd. 2026-01-22

The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of “taoimr” service, potentially resulting in complete compromise of the  model application server.

🤖 AI Analysis
How it works

An error classified as CWE-94 (Code Injection) allows an attacker to inject and execute malicious code without requiring authentication. The attack is possible remotely, over the network, without any user interaction or special configuration conditions. The executed code runs in the context of the 'taoimr' system service privileges, providing the attacker with a high level of access to the operating system.

Impact

An attacker can gain full control over the model application server, including the ability to read, modify, and delete data as well as install malicious software. According to the CVSS vector, the impact includes compromising the confidentiality, integrity, and availability of both the target system and associated systems.

Mitigation & patch

Patches available from the manufacturer should be applied according to references — updates available through the Aveva support portal (softwaresupportsp.aveva.com) and the Aveva cybersecurity updates page. It is recommended to isolate Aveva Process Optimization servers from untrusted networks until the patch is applied and to monitor network traffic directed to the 'taoimr' service.

Who is affected

Aveva Process Optimization — versions indicated in the manufacturer's references (CISA ICS advisory: ICSA-26-015-01 and Aveva support page).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Aveva Process Optimization

    APP
    Aveva
    < 2025
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-61943CRITICAL9.3PL ✓ten sam produkt

SQL Injection w Aveva Process Optimization umożliwiający RCE

CVE-2025-64691CRITICAL9.3PL ✓ten sam produkt

Privilege escalation przez manipulację skryptami TCL w Aveva Process Optimization

CVE-2025-65118CRITICAL9.3PL ✓ten sam produkt

Privilege escalation w Aveva Process Optimization (CWE-427)

CVE-2025-64729HIGH8.6ten sam produkt

The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Pro...

CVE-2025-64769HIGH7.6ten sam produkt

The Process Optimization application suite leverages connection channels/protocols that by-default are not en...