CVE-2025-64729 AVEVA CVE debrief

Who should care

Organizations using AVEVA Process Optimization, especially teams responsible for OT/ICS engineering workstations, project-file handling, and Windows access control on systems where multiple users can create, modify, distribute, or open Process Optimization project files.

Technical summary

The advisory describes a local, authenticated attack path with low privileges and required user interaction. The supplied CVSS vector (AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L) indicates the issue can cross security boundaries and has strong confidentiality and integrity impact. CISA’s summary focuses on tampering with project files, code embedding, and privilege escalation when a victim later interacts with the modified files.

Defensive priority

High. The combination of authenticated access, project-file tampering, potential code embedding, and privilege escalation makes this a priority for environments that rely on shared Process Optimization project workflows.

Recommended defensive actions

• Update AVEVA Process Optimization to v2025 using the vendor-provided fix.
• Restrict the taoimr service with host and/or network firewall rules so it accepts traffic only from trusted sources; by default, the product listens on ports 8888/8889 (TLS).
• Apply ACLs to installation and data folders so only trusted users can write to them.
• Maintain a trusted chain of custody for Process Optimization project files during creation, modification, distribution, backups, and use.
• Review AVEVA’s security bulletin AVEVA-2026-001 for any additional vendor guidance.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-015-01 (published 2026-01-15, initial republication of AVEVA-2026-001), the embedded vendor remediation guidance, and the supplied CVSS vector/score. No KEV listing was provided in the source corpus.

Official resources