Unauthenticated Path Traversal in Valmet DNA: A Critical Risk for Industrial Infrastructure

In the realm of Operational Technology (OT), the convergence of IT and industrial control systems (ICS) has opened new doors for efficiency—but also for attackers. This week, security teams in the Critical Manufacturing and Energy sectors need to turn their attention to a high-severity vulnerability affecting Valmet DNA Engineering Web Tools.

A recently disclosed CVE, tracked as CVE-2025-15577, allows an unauthenticated threat actor to manipulate the web maintenance services URL to achieve arbitrary file read access. This isn't just a bug; it's a potential gateway to intellectual property theft and system compromise in environments running versions C2022 and earlier.

The Vulnerability Deep Dive

CVE-2025-15577 carries a CVSS v3.1 score of 8.6 (HIGH), primarily due to its attack vector and the lack of required privileges.

• Vulnerability Type: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal.
• Attack Vector: Network (AV:N).
• Complexity: Low (AC:L).
• Privileges Required: None (PR:N).
• User Interaction: None (UI:N).

The flaw lies in how the Valmet DNA Engineering Web Tools handle web maintenance service URLs. By manipulating specific parameters, an attacker can break out of the restricted directory structure (e.g., using sequences like ../ or encoded variations) to access files anywhere on the underlying file system. Because the vulnerability is unauthenticated, the attacker does not need valid credentials to initiate the attack.

Why This Matters for OT

In an IT environment, arbitrary file read is serious. In OT, it can be catastrophic. An attacker could leverage this to:

1. Harvest Credentials: Read configuration files containing hardcoded passwords or API keys.
2. Map the Network: Access system documentation or topology files to plan lateral movement.
3. Extract IP: Steal proprietary logic configurations or process data specific to the manufacturing or energy generation processes.

Detection and Threat Hunting

At Security Arsenal, we know that you cannot patch what you cannot see. If your organization utilizes Valmet DNA, immediate threat hunting is required to determine if this vulnerability is being actively scanned or exploited.

1. Hunt for Path Traversal Patterns (KQL for Sentinel/Defender)

Monitor your web proxy logs or ICS-specific firewalls for URL patterns indicative of path traversal attempts targeting the Valmet maintenance interface.

DeviceNetworkEvents

| where RemoteUrl contains "/engineering" // Specific to Valmet DNA context
| where RequestUrl has @"..\" or RequestUrl has @"../" 

    or RequestUrl has "%2e%2e" or RequestUrl has "%255c"

| project Timestamp, DeviceName, SrcIpAddr, DestIpAddr, RemoteUrl, RequestUrl, InitiatingProcessAccountName
| extend IoC = "Path Traversal Attempt"

2. Web Server Log Analysis (Python)

If you have direct access to the web server logs of the Valmet Engineering tools, use this Python snippet to scan for traversal patterns.

import re


# Regex for common path traversal sequences
traversal_regex = re.compile(
    r'(\.\.[\/\\])|(%252e)|(%2e%2e)|(%c0%ae)',
    re.IGNORECASE
)


def scan_logs(log_file_path):

    suspicious_entries = []
    try:
        with open(log_file_path, 'r') as f:
            for line in f:
                if traversal_regex.search(line):
                    suspicious_entries.append(line.strip())
        return suspicious_entries
    except FileNotFoundError:
        print("Log file not found.")
        return []

# Usage
# alerts = scan_logs('/var/log/valmet/access.log')
# for alert in alerts:
#     print(f"ALERT: {alert}")

3. Bash Quick Scan

For a rapid check on Linux-based ICS servers hosting the web tools:

grep -rn "\.\." /var/log/httpd/access_log | grep -i "engineering" > path_traversal_scan.txt

if [ -s path_traversal_scan.txt ]; then
    echo "Potential Path Traversal Detected. Check path_traversal_scan.txt"
else
    echo "No obvious traversal patterns found."
fi

Mitigation and Remediation

Valmet has issued a fix, but due to the sensitive nature of OT environments, a "patch and pray" approach is insufficient.

1. Apply the Vendor Fix: Valmet recommends users reach out directly to their automation customer service group to obtain the specific fix for versions C2022. Do not wait for a broad OTA update; contact them via Valmet's security advisory.
2. Network Segmentation: Per CISA guidelines, ensure these tools are not accessible from the internet. Place them behind firewalls and isolate them from the business network.
3. Web Application Firewall (WAF): Implement strict WAF rules to block requests containing directory traversal sequences (../, %2e%2e) targeting the maintenance services URL.
4. Access Controls: Ensure that even internal access to the Engineering Web Tools is restricted to a whitelist of necessary IP addresses.

Given the critical nature of the Energy and Manufacturing sectors, treating this vulnerability as an emergency is the only responsible posture.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub