Emerson ValveLink Products

Plan PatchCVSS 9.4ICS-CERT ICSA-25-189-01Jul 8, 2025

EmersonManufacturing

Summary

Emerson ValveLink SOLO, DTM, PRM, and SNAP-ON versions prior to 14.0 contain multiple vulnerabilities (CWE-316, CWE-693, CWE-427, CWE-20) related to cleartext storage of sensitive information, improper restriction of rendered UI layers to a single layer, information exposure through query strings, and insufficient input validation. Successful exploitation could allow an attacker with access to the system to read sensitive information stored in cleartext, tamper with parameters, and run unauthorized code.

What this means

What could happen

An attacker with access to a ValveLink workstation could read stored credentials or process parameters, modify valve control settings, or run commands on the system, potentially disrupting valve operation or causing process upset in manufacturing plants.

Who's at risk

This affects manufacturing facilities that use Emerson ValveLink software for smart valve diagnostics and control. Engineers and technicians who operate ValveLink workstations for valve configuration, monitoring, and asset management are at risk if the workstations are accessible from untrusted networks or inadequately segmented from business IT systems.

How it could be exploited

An attacker with network access to a ValveLink workstation could extract cleartext-stored sensitive data from the application, manipulate UI elements or query strings to bypass authorization checks, or exploit input validation flaws to achieve code execution on the host running ValveLink software.

Prerequisites

Network access to the workstation running ValveLink software
Local or network-accessible access to the ValveLink application
No evidence of requiring valid user credentials for initial exploitation

Critical CVSS (9.4)Cleartext credential storageInsufficient input validationNo authentication required for some attack pathsAffects control of manufacturing equipment (valves)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

ValveLink SOLO: <ValveLink_14.0<ValveLink 14.014.0+

ValveLink DTM: <ValveLink_14.0<ValveLink 14.014.0+

ValveLink PRM: <ValveLink_14.0<ValveLink 14.014.0+

ValveLink SNAP-ON: <ValveLink_14.0<ValveLink 14.014.0+

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to ValveLink workstations using firewall rules, allowing only authorized engineering and maintenance personnel

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ValveLink SOLO, DTM, PRM, and SNAP-ON to version 14.0 or later

Long-term hardening

0/2

HARDENINGIsolate ValveLink systems from the business network using network segmentation or air-gapping where operationally feasible

HARDENINGDisable remote access to ValveLink systems unless explicitly required; if remote access is necessary, enforce VPN with strong authentication

CVEs (5)

CVE-2025-52579 CVE-2025-50109 CVE-2025-46358 CVE-2025-48496 CVE-2025-53471

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f17703af-2090-4fae-8531-8c3d1d9b2e29

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.