Cleartext Transmission of Sensitive Information in AVEVA Process Optimization

Successful exploitation can expose sensitive information transmitted by AVEVA Process Optimization and may also allow connection or session hijacking in man-in-the-middle scenarios. Depending on the traffic traversing the affected channels, an attacker may obtain confidential operational data, credentials, or other sensitive application information, and may be able to tamper with communications, affecting confidentiality and integrity. The advisory also indicates limited availability impact is possible.

Until full remediation is applied, enforce encryption for all relevant Process Optimization communications wherever possible, disable or avoid plaintext protocols, and place the system on trusted, segmented networks. Restrict network exposure of control system devices, ensure they are not directly accessible from the internet, and limit access paths to trusted sources only. Additional compensating controls include firewalling and minimizing opportunities for adversaries to perform passive inspection or man-in-the-middle interception on the affected network segments.

AVEVA’s primary remediation for the vulnerabilities affecting Process Optimization is to upgrade to AVEVA Process Optimization v2025. For this issue specifically, remediation should include moving affected connection channels and protocols to encrypted transport and validating that secure communications are enabled by default wherever supported. If vendor configuration guidance is available in the deployed environment, operators should ensure all relevant endpoints are configured to require encrypted communications rather than plaintext defaults.