What happened
Multiple critical vulnerabilities were disclosed in AVEVA Process Optimization (formerly ROMeo) 2024.1 and earlier, including an unauthenticated remote code execution (RCE) flaw that allows attackers to execute arbitrary code under SYSTEM privileges. Alongside this critical vulnerability (CVE-2025-61937), other high-severity issues include code injection via macro functionality, SQL injection leading to elevated privileges, DLL hijacking, missing ACLs, and issues enabling project file tampering. These weaknesses collectively allow attackers to compromise the Model Application Server and connected infrastructure across industrial process control environments. The vulnerabilities were identified during a penetration test and coordinated with CISA; AVEVA recommends upgrading to the 2025 release to remediate all known flaws.Â
Who is affected
Industrial operators and enterprises using AVEVA Process Optimization software are directly impacted; vulnerable systems may be exposed to remote or authenticated compromise of critical control infrastructure.
Why CISOs should care
Critical system-level RCE and privilege escalation flaws in industrial software pose significant operational and safety risks, including potential disruption of production systems and unauthorized command execution.
3 practical actions
- Apply vendor patches: Upgrade to AVEVA Process Optimization 2025 or later immediately.
- Segment industrial networks: Restrict access to industrial control system components.
- Harden access controls: Enforce strict ACL and firewall rules around exposed services.