The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of “taoimr” service, potentially resulting in complete compromise of the model application server.
An error classified as CWE-94 (Code Injection) allows an attacker to inject and execute malicious code without requiring authentication. The attack is possible remotely, over the network, without any user interaction or special configuration conditions. The executed code runs in the context of the 'taoimr' system service privileges, providing the attacker with a high level of access to the operating system.
An attacker can gain full control over the model application server, including the ability to read, modify, and delete data as well as install malicious software. According to the CVSS vector, the impact includes compromising the confidentiality, integrity, and availability of both the target system and associated systems.
Patches available from the manufacturer should be applied according to references — updates available through the Aveva support portal (softwaresupportsp.aveva.com) and the Aveva cybersecurity updates page. It is recommended to isolate Aveva Process Optimization servers from untrusted networks until the patch is applied and to monitor network traffic directed to the 'taoimr' service.
Aveva Process Optimization — versions indicated in the manufacturer's references (CISA ICS advisory: ICSA-26-015-01 and Aveva support page).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAveva Process Optimization
APPAveva< 2025
Related vulnerabilities
SQL Injection w Aveva Process Optimization umożliwiający RCE
Privilege escalation przez manipulację skryptami TCL w Aveva Process Optimization
Privilege escalation w Aveva Process Optimization (CWE-427)
The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Pro...
The Process Optimization application suite leverages connection channels/protocols that by-default are not en...