Cyber Resilience

CVE-2025-15577

High

Published: 12 February 2026

Published
12 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:D/RE:M/U:Green
EPSS Score 0.0050 39.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15577 is a high-severity Path Traversal (CWE-22) vulnerability in Valmet Dna. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15577 is a path traversal vulnerability (CWE-22) in Valmet DNA Web Tools versions C2022 and older. It enables an unauthenticated attacker to achieve arbitrary file read access by manipulating URLs. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant confidentiality impact.

An unauthenticated attacker can exploit this issue remotely over the network with low complexity. By crafting malicious URLs, the attacker gains read access to arbitrary files on the affected system, potentially exposing sensitive configuration data, credentials, or other critical information without impacting integrity or availability.

Valmet has published an advisory detailing the issue at https://www.valmet.com/company/innovation/advisories/CVE-2025-15577/, which security practitioners should consult for mitigation guidance and patch information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access.This issue affects Valmet DNA Web Tools: C2022 and older.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in unauthenticated public web app directly enables remote exploitation (T1190) and arbitrary local file reads (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22
CVE-2026-39859Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2026-23939Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2025-69411Shared CWE-22

Affected Assets

valmet
dna
≤ 2022

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific path traversal flaw in Valmet DNA Web Tools via timely patching directly eliminates the vulnerability enabling arbitrary file reads.

prevent

Validating URL inputs against path traversal sequences like '../' prevents unauthenticated attackers from accessing arbitrary files outside intended directories.

preventdetect

Boundary protection via web application firewalls monitors and blocks malicious URL manipulations attempting path traversal to sensitive files.

References