CVE-2021-26726
Published: 16 February 2022
Summary
CVE-2021-26726 is a high-severity OS Command Injection (CWE-78) vulnerability in Valmet Dna. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 21.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-13513
Vulnerability details
A remote code execution vulnerability affecting a Valmet DNA service listening on TCP port 1517, allows an attacker to execute commands with SYSTEM privileges This issue affects: Valmet DNA versions from Collection 2012 until Collection 2021.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Review and update requirements help detect and correct least privilege violations in practice.
Access reviews verify and enforce adherence to least privilege by identifying excess permissions.
Requiring specification of intended system usage and access authorizations, plus periodic reviews, supports enforcement of least privilege.
Separation of duties is a direct mechanism to enforce least privilege by ensuring no individual receives more access than required for their isolated responsibilities.
Enforces the least privilege principle to avoid violations of minimal necessary access.
Detects error messages that leak sensitive information as evidence of disclosure.
Enforcing only the minimal set of functionality implements least privilege by eliminating unneeded capabilities that could be abused.
The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.