Valmet DNA Engineering Web Tools

Plan Patch8.6ICS-CERT ICSA-26-050-02Feb 19, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Valmet DNA Engineering Web Tools contains an arbitrary file read vulnerability (CWE-22 path traversal) in the web maintenance services URL handling. An unauthenticated attacker can manipulate the maintenance services URL to read arbitrary files from the server, including system configuration files, potentially exposing sensitive process data or credentials.

What this means

What could happen

An attacker could read arbitrary files from the Valmet DNA engineering workstation, potentially exposing sensitive process configurations, engineering data, or credentials used to manage plant systems. This could lead to further compromise of your automation infrastructure.

Who's at risk

This affects organizations using Valmet DNA Engineering Web Tools (version C2022 and earlier) for engineering and configuration of Valmet automation and process control systems. The risk is highest for utilities and manufacturing facilities that rely on Valmet systems for critical process control and where engineering workstations have network connectivity.

How it could be exploited

An attacker with network access to the Valmet DNA Engineering Web Tools web interface can craft a malicious URL with path traversal sequences (such as ../ or encoded variants) in the web maintenance services parameter. This bypasses file access restrictions and allows the attacker to read any file the web service process has access to, such as configuration files or system data.

Prerequisites

Network access to the Valmet DNA Engineering Web Tools web interface (typically port 80/443)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects engineering systemspath traversal vulnerability

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Valmet DNA Engineering Web Tools: <=C2022≤ C2022No fix yet

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict network access to the Valmet DNA Engineering Web Tools web interface to only authorized engineering workstations and jump servers. Use firewall rules or network segmentation to limit exposure.

WORKAROUNDDisable the web maintenance services feature if it is not actively in use.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Valmet's automation customer service group directly to obtain the fix. Reference CVE-2025-15577.

CVEs (1)

CVE-2025-15577

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4b240888-9f43-4936-8a1b-669a5e6d9fc3