OTPulse
FeedAboutContact

Valmet DNA

Plan Patch8.8ICS-CERT ICSA-22-102-01Apr 12, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Valmet DNA versions Collection 2012 through Collection 2021 contain a cryptographic weakness (CWE-326) that allows an attacker with network access to execute arbitrary commands with system privileges. No public exploits are currently known, but the vulnerability has a CVSS score of 8.8, indicating high severity. The vulnerability affects all DNA deployments within the affected version range, with no patch currently available from Valmet.

What this means
What could happen
An attacker with network access to Valmet DNA could execute arbitrary commands with system-level privileges, potentially allowing them to modify process parameters, disable safety functions, or shut down critical industrial operations.
Who's at risk
Organizations operating Valmet DNA systems (versions Collection 2012 through Collection 2021) in pulp and paper mills, refineries, and other process industries where DNA is used for process control and automation should prioritize this issue. Anyone running these affected versions in a networked environment is at risk.
How it could be exploited
An attacker on the same network segment (or with network routing to the device) could send a crafted request to the DNA system that exploits weak cryptographic mechanisms. The system would execute arbitrary commands with full system privileges without requiring valid credentials or user interaction.
Prerequisites
  • Network access to Valmet DNA system on the same network segment or routable network
  • DNA version Collection 2012 through Collection 2021
Remotely exploitableNo authentication requiredLow complexity attackNo patch availableHigh impact to physical operationsAffects industrial process control
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (1)
ProductAffected VersionsFix Status
DNA:≥ Collection 2012 | ≤ Collection 2021No fix yet
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDDeploy a firewall rule to prevent unauthorized network access to the DNA system from untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Valmet customer service and update DNA to the latest available version
Long-term hardening
0/2
HARDENINGIsolate the DNA system and control network from the business network using network segmentation
HARDENINGIf remote access to DNA is required, implement a VPN and keep it updated to the latest version
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/e26e1589-e0ad-4edd-8ec3-241cc7cf1b97
Valmet DNA | CVSS 8.8 - OTPulse