What is CVE-2025-61937?

CVE-2025-61937 is a critical-severity vulnerability in Aveva Process Optimization, classified under Code Injection. CVSS score: 10.0/10. Published 2026-01-16.

How severe is CVE-2025-61937?

Critical severity. CVSS v3 base score is 10.0 out of 10.

RCE in Aveva Process Optimization

CVE-2025-61937

The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of “taoimr” service, potentially resulting in complete compromise of the model application server.

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (30.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Aveva Process Optimization — versions 0

Weakness classification (CWE)

CWE-94 — Code Injection

References

www.aveva.com/en/support-and-success/cyber-security-updates/
softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde…
www.cisa.gov/news-events/ics-advisories/icsa-26-015-01
github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.js…

Frequently asked questions

What is CVE-2025-61937?: CVE-2025-61937 is a critical-severity vulnerability in Aveva Process Optimization, classified under Code Injection. CVSS score: 10.0/10. Published 2026-01-16.
How severe is CVE-2025-61937?: Critical severity. CVSS v3 base score is 10.0 out of 10.