Critical

Unauthenticated RCE in AVEVA Process Optimization taoimr API

IdentifiersCVE-2025-61937CWE-94· Improper Control of Generation of…

CVE-2025-61937 is a critical code injection vulnerability in AVEVA Process Optimization (formerly ROMeo) 2024.1 and earlier. Available advisory content describes the flaw as residing in the application's API layer and allowing an unauthenticated remote attacker to trigger arbitrary code execution via the "taoimr" service. Successful exploitation executes attacker-controlled code with OS SYSTEM-level privileges in the context of that service, which can lead to full compromise of the Model Application Server. The published metadata associates the issue with CWE-94 and CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating network reachability, low complexity, no privileges required, and no user interaction.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote code execution with OS SYSTEM privileges of the "taoimr" service. This can result in complete compromise of the AVEVA Process Optimization Model Application Server, including full loss of confidentiality, integrity, and availability on the affected host. Because the CVSS scope is changed and advisory text notes possible complete server compromise, exploitation may also enable follow-on actions against connected infrastructure or dependent systems managed through the server.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, restrict network access to the taoimr service to trusted sources only using firewall rules or equivalent network controls. AVEVA notes Process Optimization listens by default on ports 8888 and 8889, including TLS on 8889. CISA additionally recommends minimizing network exposure of control system devices and ensuring they are not directly accessible from the internet. More generally, segment the Model Application Server from untrusted networks and tightly control administrative and application access paths until the product can be upgraded.

Remediation

Patch, then assume compromise.

AVEVA's recommended remediation is to upgrade AVEVA Process Optimization to version 2025 or later. The affected versions are 2024.1 and earlier. Apply the vendor-provided update from AVEVA and validate that exposed Process Optimization services, including the taoimr service, are running the fixed release after upgrade.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AvevaProcess Optimizationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

the hacker newsNews

Jan 26, 2026

⚡ Weekly Recap: Firewall Flaws, AI-Built Malware, Browser Traps, Critical CVEs & More

Unknown

cyber security newsNews

Jan 20, 2026

Critical AVEVA Software Vulnerabilities Enables Remote Code Execution Under System Privileges

A critical unauthenticated remote code execution vulnerability in the AVEVA Process Optimization API layer that allows arbitrary code execution as SYSTEM via the taoimr service.

cvefeed high severityNews

May 31, 2026

CVE-2025-61937 - AVEVA Process Optimization Code Injection

A remote code execution vulnerability that could allow an unauthenticated attacker to execute code with OS system privileges of the “taoimr” service, potentially fully compromising the model application server.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-61937

NVD

nvd.nist.gov/vuln/detail/CVE-2025-61937

MITRE CWE · CWE-94

Improper Control of Generation of Code ('Code…

Vendor Advisory

aveva.com/en/support-and-success/cyber-security-updates

Third Party Advisory

github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json

Third Party Advisory

cisa.gov/news-events/ics-advisories/icsa-26-015-01

Permissions Required

softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea