Critical AVEVA Software Vulnerabilities Enable System-Level RCE and Escalation

Related

Hackers Exploit Critical Auth Bypass in Gitea Docker Image

What happened Hackers are actively exploiting a critical authentication bypass...

Zimbra Urges Customers to Patch Critical Web Client XSS Flaw

What happened Zimbra urged customers to patch a critical stored...

Progress Urges ShareFile Customers to Shut Down Servers Over Credible Threat

What happened Progress Software warned ShareFile customers using Storage Zone...

Ubiquiti Discloses 25 Security Flaws Across UniFi Ecosystem

What happened Ubiquiti disclosed 25 security vulnerabilities affecting products across...

AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

What happened Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop...

Share

What happened

Multiple critical vulnerabilities were disclosed in AVEVA Process Optimization (formerly ROMeo) 2024.1 and earlier, including an unauthenticated remote code execution (RCE) flaw that allows attackers to execute arbitrary code under SYSTEM privileges. Alongside this critical vulnerability (CVE-2025-61937), other high-severity issues include code injection via macro functionality, SQL injection leading to elevated privileges, DLL hijacking, missing ACLs, and issues enabling project file tampering. These weaknesses collectively allow attackers to compromise the Model Application Server and connected infrastructure across industrial process control environments. The vulnerabilities were identified during a penetration test and coordinated with CISA; AVEVA recommends upgrading to the 2025 release to remediate all known flaws. 

Who is affected

Industrial operators and enterprises using AVEVA Process Optimization software are directly impacted; vulnerable systems may be exposed to remote or authenticated compromise of critical control infrastructure.

Why CISOs should care

Critical system-level RCE and privilege escalation flaws in industrial software pose significant operational and safety risks, including potential disruption of production systems and unauthorized command execution.

3 practical actions

  • Apply vendor patches: Upgrade to AVEVA Process Optimization 2025 or later immediately.
  • Segment industrial networks: Restrict access to industrial control system components.
  • Harden access controls: Enforce strict ACL and firewall rules around exposed services.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.