Cyber Posture

CVE-2025-61937

CriticalRCE
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: affectedAppOther: not affectedOth

Published: 16 January 2026

Published
16 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0012 29.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61937 is a critical-severity Code Injection (CWE-94) vulnerability in Aveva Process Optimization. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and patching of critical flaws like CVE-2025-61937 to prevent remote code execution exploitation.

SI-10 Information Input Validation good match
prevent

Mandates validation of all information inputs to the taoimr service, directly countering the code injection vulnerability (CWE-94).

AC-6 Least Privilege partial match
prevent

Enforces least privilege for the taoimr service account, limiting the scope and impact of remote code execution even if the injection succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote unauthenticated code injection (CWE-94) in a network-accessible service directly enables T1190 Exploit Public-Facing Application for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of “taoimr” service, potentially resulting in complete compromise of the  model application server.

Deeper analysisAI

CVE-2025-61937 is a critical code injection vulnerability (CWE-94) with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), published on 2026-01-16. It affects the “taoimr” service running on the model application server, where exploitation enables remote code execution under the OS system privileges of that service.

An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants remote code execution as the “taoimr” service, potentially resulting in complete compromise of the model application server.

Mitigation details are provided in advisories such as CISA ICSA-26-015-01 and AVEVA cyber security updates, with patches available via AVEVA's software support portal. Security practitioners should consult these resources, including the CSAF JSON file on GitHub, for specific remediation steps.

Details

CWE(s)
CWE-94

Affected Products

aveva
process optimization
≤ 2025

CVEs Like This One

CVE-2025-64691Same product: Aveva Process Optimization
CVE-2025-64729Same product: Aveva Process Optimization
CVE-2025-65117Same product: Aveva Process Optimization
CVE-2025-65118Same product: Aveva Process Optimization
CVE-2025-64769Same product: Aveva Process Optimization
CVE-2025-61943Same product: Aveva Process Optimization
CVE-2026-35178Shared CWE-94
CVE-2024-1490Shared CWE-94
CVE-2024-7419Shared CWE-94
CVE-2025-46581Shared CWE-94

References