AVEVA Process Optimization

Plan PatchCVSS 10ICS-CERT ICSA-26-015-01Jan 15, 2026

AVEVA

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AVEVA Process Optimization versions 2024.1 and earlier contain multiple critical vulnerabilities including remote code execution (CWE-94), SQL injection (CWE-89), privilege escalation (CWE-862), and insecure cryptographic practices (CWE-319). The vulnerabilities are remotely exploitable without authentication via the default listening ports (8888/8889 TLS). Successful exploitation could enable attackers to execute arbitrary code, manipulate process data, escalate privileges, and access sensitive information.

What this means

What could happen

An attacker could execute arbitrary code on the Process Optimization server, modify or extract sensitive process data via SQL injection, escalate privileges, or steal sensitive information, potentially disrupting critical industrial process control and optimization operations.

Who's at risk

AVEVA Process Optimization users managing manufacturing and process optimization operations. This affects industrial plants using AVEVA's optimization software for production scheduling, energy management, and resource allocation.

How it could be exploited

An attacker with network access to port 8888 or 8889 (TLS) on the Process Optimization server can send a malicious request to trigger code execution, SQL injection, or privilege escalation without requiring authentication or user interaction.

Prerequisites

Network access to port 8888 or 8889 (TLS) on the AVEVA Process Optimization server
No authentication required

remotely exploitableno authentication requiredlow complexitycritical CVSS (10.0)affects process control operations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Process Optimization: <=2024.1≤ 2024.1v2025

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict firewall rules on ports 8888/8889 to accept traffic only from trusted engineering workstations and authorized systems

HARDENINGApply access control lists (ACLs) to Process Optimization installation and data folders to limit write access to trusted users only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AVEVA Process Optimization to version 2025 or later

Long-term hardening

0/1

HARDENINGMaintain chain-of-custody controls on Process Optimization project files, including secure creation, modification, distribution, backup, and storage procedures

CVEs (7)

CVE-2025-61937 CVE-2025-64691 CVE-2025-61943 CVE-2025-65118 CVE-2025-64729 CVE-2025-65117 CVE-2025-64769

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c94f88d3-85bc-4b0f-ac52-0516be37e0aa

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.