CVE-2025-61937

Published Jan 16, 2026

Last updated 5 months ago

CVSS critical 10.0
API

Overview

Description
The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of “taoimr” service, potentially resulting in complete compromise of the  model application server.
Source
ics-cert@hq.dhs.gov
NVD status
Analyzed
Products
process_optimization

Risk scores

CVSS 4.0

Type
Secondary
Base score
10
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

ics-cert@hq.dhs.gov
CWE-94

Social media

Hype score
Not currently trending

  1. 🚨 Critical AVEVA Process Optimization Flaws Enable Unauthenticated SYSTEM-Level RCE Seven vulnerabilities in AVEVA Process Optimization (ROMeo) 2024.1 and earlier include a CVSS 10.0 API-layer code injection bug (CVE-2025-61937) that allows unauthenticated attackers to execute

    @ThreatSynop

    20 Jan 2026

    64 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 産業制御ソフトAVEVA Process Optimization(旧ROMeo)にCVSSv4スコア10の脆弱性。CVE-2025-61937は標準ユーザーがAPI経由で任意コード実行可能なもの。CVSSスコア9.3の他脆弱性3件と併せ修正。 https://t.co/Id3mcSUV4S

    @__kokumoto

    20 Jan 2026

    259 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 🚨 New Critical CVE: CVE-2025-61937 📊 Score: 10.0 📝 The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution un... 🔗 Read Details: https://t.co/4ryfI5zf5B #CVE #CyberSecurity #WatchStack

    @watchstackio

    16 Jan 2026

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Nx Console Embedded Malicious Code VulnerabilityCVE-2026-48027
  2. Microsoft Defender Denial of Service VulnerabilityCVE-2026-45498
  3. Microsoft Defender Link Following VulnerabilityCVE-2026-41091
  4. Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.CVE-2026-7776
  5. A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function create_document/open_document of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.CVE-2026-7738

References

Sources include official advisories and independent security research.