CVE-2025-61937 AVEVA CVE debrief

Who should care

Organizations running AVEVA Process Optimization, especially teams responsible for OT/ICS engineering workstations, Model Application Server deployments, and any environment where the taoimr service is reachable from untrusted networks.

Technical summary

The advisory describes a network-reachable, unauthenticated remote code execution condition affecting AVEVA Process Optimization. The stated impact is severe: code execution runs with OS System privileges of the taoimr service, which can result in full compromise of the Model Application Server. The supplied CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, matching the CRITICAL severity classification.

Defensive priority

Emergency. Prioritize patching or compensating controls immediately because the issue is unauthenticated, network-based, and capable of high-impact compromise of a core server component.

Recommended defensive actions

• Update AVEVA Process Optimization to v2025 using AVEVA's vendor fix guidance.
• Restrict taoimr service access with host and/or network firewall rules so only trusted sources can connect.
• Apply ACLs to installation and data folders, limiting write access to trusted users only.
• Maintain a trusted chain-of-custody for Process Optimization project files during creation, modification, distribution, backups, and use.
• Review deployment exposure for ports 8888/8889 (TLS) and ensure they are not unnecessarily reachable from untrusted networks.

Evidence notes

This debrief is based only on the supplied CISA CSAF advisory and linked official references. The advisory metadata states initial republication of AVEVA-2026-001 and lists the issue date as 2026-01-15T07:00:00.000Z. No KEV entry was supplied. The impact statement, product name, remediation guidance, and CVSS vector are taken directly from the source corpus.

Official resources