AVEVA 2026: Critical ICS Vulnerabilities Put Manufacturing at Risk
Executive Summary
In January 2026, AVEVA disclosed seven critical vulnerabilities in its Process Optimization suite, widely used by critical manufacturing and infrastructure sectors worldwide. The flaws, reported by Veracode’s Christopher Wu, include unauthenticated remote code execution, SQL injection, privilege escalation, code injection, and cleartext transmission of sensitive data. Attackers exploiting these vulnerabilities could fully compromise servers, escalate user privileges, access sensitive process data, and potentially undermine operational continuity or safety. Affected versions include all AVEVA Process Optimization releases up to and including 2024.1.
These vulnerabilities highlight increasing targeting of industrial control and process optimization platforms, exposing gaps in legacy ICS security. With global critical infrastructure at risk and exploitation methods aligned with broader trends in supply chain and lateral movement attacks, this incident underscores urgent needs for robust security controls, ongoing software updates, and regulatory compliance in the ICS/OT domain.
Why This Matters Now
Industrial control systems remain high-value targets for cyber adversaries, and unpatched vulnerabilities like those in AVEVA Process Optimization could enable catastrophic attacks on critical manufacturing operations. The convergence of IT and OT environments, combined with increasing connectivity, means that timely remediation and segmentation are now essential to protect against widespread disruption and compliance failures.
Attack Path Analysis
The attack began with an external or internal threat actor exploiting exposed or weakly protected services in AVEVA Process Optimization, targeting code injection, SQL injection, and cleartext communication vulnerabilities. After gaining initial access, the attacker escalated privileges by manipulating macros, loading arbitrary code, or abusing insecure file or folder permissions. The adversary then pivoted laterally within the environment, targeting other workloads and services, possibly breaching the SQL Server or compromising additional user accounts. For command and control, the attacker established outbound connections, possibly leveraging unencrypted or weakly filtered channels to maintain persistence and remote instruction. Sensitive data or project files were then exfiltrated through unmonitored egress paths or via internal database compromise. Ultimately, the attacker could cause major business disruption or process tampering through persistent access, privilege abuse, or by corrupting process optimization assets.
Kill Chain Progression
Initial Compromise
Description
An attacker exploited exposed services or vulnerable endpoints (including cleartext protocols and the taoimr service) to gain unauthorized access, leveraging vulnerabilities such as code injection or SQL injection.
Related CVEs
CVE-2025-61937
CVSS 10An unauthenticated attacker can achieve remote code execution under OS System privileges of the 'taoimr' service, potentially resulting in complete compromise of the Model Application Server.
Affected Products:
AVEVA Process Optimization – <=2024.1
Exploit Status:
no public exploitCVE-2025-64691
CVSS 8.8An authenticated attacker (OS Standard User) can tamper with TCL Macro scripts and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server.
Affected Products:
AVEVA Process Optimization – <=2024.1
Exploit Status:
no public exploitCVE-2025-61943
CVSS 8.4An authenticated attacker (Process Optimization Standard User) can tamper with queries in Captive Historian and achieve code execution under SQL Server administrative privileges, potentially resulting in complete compromise of the SQL Server.
Affected Products:
AVEVA Process Optimization – <=2024.1
Exploit Status:
no public exploitCVE-2025-65118
CVSS 8.8An authenticated attacker (OS Standard User) can trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server.
Affected Products:
AVEVA Process Optimization – <=2024.1
Exploit Status:
no public exploitCVE-2025-64729
CVSS 8.1An authenticated attacker (OS Standard User) can tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files.
Affected Products:
AVEVA Process Optimization – <=2024.1
Exploit Status:
no public exploitCVE-2025-65117
CVSS 7.4An authenticated attacker (Process Optimization Designer User) can embed OLE objects into graphics and escalate their privileges to the identity of a victim user who subsequently interacts with the graphical elements.
Affected Products:
AVEVA Process Optimization – <=2024.1
Exploit Status:
no public exploitCVE-2025-64769
CVSS 7.1The Process Optimization application suite leverages connection channels/protocols that by default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios.
Affected Products:
AVEVA Process Optimization – <=2024.1
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques mapped based on observed ICS exploitation vectors; list may be expanded with full TTP context in future releases.
Exploit Public-Facing Application
Process Injection
Command and Scripting Interpreter
Abuse Elevation Control Mechanism
Valid Accounts
Impair Defenses
Application Layer Protocol
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 Rev. 5 – Information Input Validation
Control ID: SI-10
PCI DSS 4.0 – Protect Applications from Injection Attacks
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management – Security of Network and Information Systems
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – Secure Application Development and Deployment
Control ID: Applications – Visibility and Control
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical AVEVA Process Optimization vulnerabilities enable remote code execution and privilege escalation in industrial control systems, threatening operational technology infrastructure and energy production processes.
Chemicals
Multiple code injection and SQL injection vulnerabilities in process optimization software could compromise chemical manufacturing operations, safety systems, and sensitive production data integrity.
Pharmaceuticals
Industrial control system vulnerabilities affecting process optimization could disrupt pharmaceutical manufacturing, compromise product quality data, and violate regulatory compliance requirements including data protection standards.
Food Production
AVEVA Process Optimization security flaws pose risks to food manufacturing control systems, potentially affecting production quality, safety monitoring, and supply chain operational continuity.
Sources
- AVEVA Process Optimizationhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01Verified
- AVEVA Security Bulletin AVEVA-2026-001https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2026-001.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, encrypted communications, egress policy enforcement, and continuous threat detection through CNSF-aligned controls would have significantly reduced the attack surface, prevented lateral movement, and detected/suppressed anomalous behaviors throughout the kill chain.
Control: Cloud Firewall (ACF) & Encrypted Traffic (HPE)
Mitigation: Prevents exploitation via external attack surface reduction and encrypted communications.
Control: Zero Trust Segmentation
Mitigation: Limits scope and blocks privilege escalation between isolated workloads.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized lateral movement across the internal network.
Control: Egress Security & Inline IPS
Mitigation: Blocks and alerts on outbound malicious traffic or C2 signatures.
Control: Egress Policy Enforcement & Encrypted Traffic (HPE)
Mitigation: Prevents data exfiltration by restricting, inspecting, and encrypting outbound flows.
Detects, contains, and enables response to destructive or suspicious activity.
Impact at a Glance
Affected Business Functions
- Process Control
- Manufacturing Operations
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive operational data and intellectual property due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement microsegmentation and identity-based policy controls to minimize lateral movement and restrict resource access.
- • Enforce end-to-end encryption (MACsec/IPsec/VPN) for all workloads and critical ICS network traffic to eliminate cleartext exposure.
- • Deploy inline cloud firewalls and egress filtering to contain unauthorized inbound/outbound access and block command-and-control attempts.
- • Enable real-time threat detection and anomaly response to rapidly identify and isolate suspicious privilege escalation or process manipulation.
- • Continuously monitor, baseline, and audit all traffic between services—especially in hybrid and multi-cloud environments leveraging critical ICS/OT applications.
