CVE-2025-15577
Published: 12 February 2026
Summary
CVE-2025-15577 is a high-severity Path Traversal (CWE-22) vulnerability in Valmet Dna. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-15577 is a path traversal vulnerability (CWE-22) in Valmet DNA Web Tools versions C2022 and older. It enables an unauthenticated attacker to achieve arbitrary file read access by manipulating URLs. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant confidentiality impact.
An unauthenticated attacker can exploit this issue remotely over the network with low complexity. By crafting malicious URLs, the attacker gains read access to arbitrary files on the affected system, potentially exposing sensitive configuration data, credentials, or other critical information without impacting integrity or availability.
Valmet has published an advisory detailing the issue at https://www.valmet.com/company/innovation/advisories/CVE-2025-15577/, which security practitioners should consult for mitigation guidance and patch information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206978
Vulnerability details
An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access.This issue affects Valmet DNA Web Tools: C2022 and older.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in unauthenticated public web app directly enables remote exploitation (T1190) and arbitrary local file reads (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific path traversal flaw in Valmet DNA Web Tools via timely patching directly eliminates the vulnerability enabling arbitrary file reads.
Validating URL inputs against path traversal sequences like '../' prevents unauthenticated attackers from accessing arbitrary files outside intended directories.
Boundary protection via web application firewalls monitors and blocks malicious URL manipulations attempting path traversal to sensitive files.