Valmet DNA Engineering Web Tools

Plan PatchCVSS 8.6ICS-CERT ICSA-26-050-02Feb 19, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Valmet DNA Engineering Web Tools contains a path traversal vulnerability (CWE-22) in the web maintenance services URL handling. An unauthenticated attacker can manipulate the maintenance services URL to read arbitrary files from the affected system.

What this means

What could happen

An attacker could read sensitive files from the engineering workstation running DNA Engineering Web Tools, potentially exposing engineering configurations, credentials, or system information that could be used to compromise process automation.

Who's at risk

Any organization using Valmet DNA Engineering Web Tools for industrial process automation configuration and maintenance should assess this issue. The vulnerability affects engineering workstations and web-accessible maintenance interfaces in plants using Valmet automation systems, including paper mills, power plants, and other process industries.

How it could be exploited

An attacker with network access to the web maintenance service port can craft a malicious URL with path traversal sequences (../ characters) to bypass directory restrictions and read files outside the intended directory. No authentication is required. The attacker sends the crafted request to the web service and receives the file contents in the response.

Prerequisites

Network access to the web maintenance service port on the engineering workstation
Knowledge of file paths on the target system or ability to guess common configuration file locations

remotely exploitableno authentication requiredlow complexityaffects engineering systems with process control configurations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Valmet DNA Engineering Web Tools: <=C2022≤ C2022No fix yet

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the DNA Engineering Web Tools web maintenance service port to only authorized engineering workstations and maintenance terminals using a firewall or network access control list

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Valmet automation customer service for the patched version and update Valmet DNA Engineering Web Tools immediately

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate engineering workstations from untrusted networks and limit direct internet access to these systems

CVEs (1)

CVE-2025-15577

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4b240888-9f43-4936-8a1b-669a5e6d9fc3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.