CVE-2025-15577
Undergoing Analysis Undergoing Analysis - In Progress
Arbitrary File Read in Valmet DNA Web Tools via URL Manipulation

Publication date: 2026-02-12

Last updated on: 2026-02-23

Assigner: National Cyber Security Centre Finland

Description
An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access.This issue affects Valmet DNA Web Tools: C2022 and older.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15577
EUVD
EUVD-2025-206978
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
valmet dna to 2022 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15577 is a vulnerability in the Valmet DNA Engineering Web Tools (version C2022 and older) that allows an unauthenticated attacker to achieve arbitrary file read access by manipulating the URL on the Valmet DNA web server.

This means that an attacker who can access the web server can read files on the system without needing to log in or have any privileges.

Impact Analysis

This vulnerability can have a high impact because it allows attackers to read arbitrary files on the server without authentication.

Such unauthorized file access could expose sensitive information, configuration files, or other critical data, potentially leading to further attacks or data breaches.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Valmet DNA Engineering Web Tools (version C2022 and older) web server is accessible and vulnerable to arbitrary file read via URL manipulation.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves manipulating URLs to read arbitrary files without authentication, detection can involve sending crafted HTTP requests to the web server to see if unauthorized file access is possible.'}, {'type': 'paragraph', 'content': 'No specific commands are provided in the available resources, but network administrators can use tools like curl or wget to test URL endpoints for unauthorized file access attempts.'}, {'type': 'list_item', 'content': 'Example command to test URL manipulation (replace <target_url> and <file_path>):'}, {'type': 'list_item', 'content': 'curl "http://<target_url>/<file_path>" -v'}, {'type': 'list_item', 'content': 'Monitor web server logs for unusual URL requests that attempt to access sensitive files.'}] [1]

Mitigation Strategies

Immediate mitigation steps include properly configuring firewalls to prevent unauthorized access to the Valmet DNA Web Tools web server from untrusted networks.

Restrict network access so that only trusted users or systems can reach the vulnerable web server.

Contact Valmet Automation Customer Service to obtain and apply the available solution or patch for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15577. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart