Critical Path Traversal Vulnerability Strikes Valmet DNA Engineering Web Tools

A critical security flaw has been identified in Valmet DNA Engineering Web Tools, posing a significant risk to operational technology (OT) environments in the Critical Manufacturing and Energy sectors. Identified as CVE-2025-15577, this vulnerability allows unauthenticated attackers to manipulate the application's web maintenance services URL to achieve arbitrary file read access on the targeted system.

With a CVSS v3.1 base score of 8.6 (HIGH), this issue is not one to ignore. Successful exploitation could expose sensitive configuration files, intellectual property, or credentials, potentially serving as a stepping stone for further malicious activity within the industrial control system (ICS).

Vulnerability Analysis

The Mechanics of CVE-2025-15577

At its core, CVE-2025-15577 is an Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal (CWE-22).

Web applications generally restrict file access to a specific directory (e.g., /var/www/html). Path traversal vulnerabilities occur when an application fails to properly sanitize user-supplied input (in this case, a URL parameter) that is used to access the file system. By injecting special characters like ../ (or their URL-encoded counterparts like %2e%2e/), an attacker can navigate outside the restricted directory.

Attack Vector and Impact

• Attack Vector (AV:N): The vulnerability is exploitable over the network.
• Attack Complexity (AC:L): The attack requires low complexity; no specialized conditions are needed.
• Privileges Required (PR:N): Perhaps most alarmingly, the attacker does not require authentication.
• User Interaction (UI:N): The attack does not require any user interaction.

An attacker can craft a malicious HTTP request targeting the web maintenance services URL. By appending path traversal sequences, they can force the application to read arbitrary files from the underlying operating system. In an ICS context, this often leads to the exposure of:

• Project files and logic diagrams.
• Database connection strings containing credentials.
• System configuration files that reveal network topology.

Affected Products

The vulnerability impacts the following versions:

• Valmet DNA Engineering Web Tools: Versions C2022 and earlier.

Detection and Threat Hunting

Given that this vulnerability allows unauthenticated access, it can be difficult to detect in log traffic without specific signatures. However, Security Operations Centers (SOCs) can hunt for the signs of path traversal attempts targeting the web interfaces of Valmet DNA systems.

KQL Queries (Microsoft Sentinel / Defender)

Use the following KQL query to hunt for URL-encoded path traversal patterns in HTTP logs targeting your OT segments or known Valmet IP addresses.

let TraversalSignatures = dynamic(["%2e%2e", "%252e", "..%2f", "%2e%2e%2f", "..%5c", "%2e%2e%5c"]);
DeviceNetworkEvents
| where RemotePort in (80, 443, 8080) // Common web ports
| where RequestUrl has_any(TraversalSignatures)
// Filter for known Valmet DNA Web Tools endpoints if specific paths are known, otherwise investigate all OT web traffic
| project Timestamp, DeviceName, InitiatingProcessAccount, SourceIP, RequestUrl, RemoteURL
| order by Timestamp desc

PowerShell Log Analysis

If you have direct access to IIS logs or proxy logs on Windows jump servers hosting the interface, you can scan for suspicious patterns.

# Define path to IIS logs (adjust path as necessary)
$LogPath = "C:\inetpub\logs\LogFiles\W3SVC*\*.log"
$OutputPath = "C:\Temp\PathTraversal_Alerts.csv"

# Regex pattern for Path Traversal (standard and encoded)
$Regex = "(\%2e\%2e|\%252e|\.\./|\.\.\\)"

# Scan logs
Get-ChildItem -Path $LogPath -Recurse | Select-String -Pattern $Regex | Select-Object -First 100 | 
    ForEach-Object {
        $parts = $_.Line.Split(' ')
        [PSCustomObject]@{
            Date = $parts[0]
            Time = $parts[1]
            SourceIP = $parts[8]
            UriStem = $parts[4]
            UriQuery = $parts[5]
            FullLine = $_.Line
        }
    } | Export-Csv -Path $OutputPath -NoTypeInformation

Write-Host "Potential path traversal attempts exported to $OutputPath"

Mitigation Strategies

To effectively neutralize the threat posed by CVE-2025-15577, organizations should take the following immediate actions:

1. Apply the Vendor Fix: Valmet has issued a fix for this vulnerability. Contact the Valmet automation customer service group immediately to obtain and deploy the patch. Refer to the official Valmet security advisory for CVE-2025-15577.

2. Network Segmentation: Ensure that Valmet DNA systems are not directly accessible from the public internet. Place control system networks and devices behind robust firewalls and isolate them from the business network.

3. Implement Web Application Firewall (WAF) Rules: Configure WAFs or reverse proxies to block requests containing common path traversal sequences (e.g., ../, %2e%2e) before they reach the engineering tools.

4. Restrict Remote Access: If remote access is strictly necessary, ensure it is done via secure methods such as VPNs with Multi-Factor Authentication (MFA). Remember that VPNs are only as secure as the devices connected to them.

5. Monitor for Anomalies: Deploy the detection queries mentioned above to identify potential exploitation attempts immediately.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub