Valmet DNA Engineering Web Tools Vulnerable to Path Traversal Attack (CVE Pending)

Valmet DNA Engineering Web Tools Affected by Path Traversal Vulnerability

Madrid, Spain – February 20, 2026 – INCIBE-CERT has issued an advisory regarding a path traversal vulnerability in Valmet’s DNA Engineering Web Tools, a software suite used for industrial process automation and control. The flaw, currently without a CVE identifier, permits unauthorized access to restricted directories, potentially exposing sensitive system files.

Technical Details

The vulnerability stems from an incorrect limitation of directory access controls within the web-based interface of Valmet’s DNA Engineering Tools. Attackers with network access to the affected system could exploit this flaw to traverse directories outside the intended restricted path, potentially accessing configuration files, credentials, or other critical data.

• Affected Software: Valmet DNA Engineering Web Tools
• Vulnerability Type: Path Traversal (CWE-22)
• Impact: Unauthorized directory access, potential data exposure
• CVSS Score: Pending (likely high severity)
• Patch Status: Not yet available

Impact Analysis

Industrial control systems (ICS) like Valmet’s DNA Engineering Tools are critical to operations in sectors such as pulp, paper, and energy production. A successful exploitation of this vulnerability could lead to:

• Unauthorized access to sensitive operational data
• Disruption of industrial processes if configuration files are altered
• Lateral movement within the network if credentials are exposed

Given the software’s deployment in OT (Operational Technology) environments, the risk extends beyond data exposure to potential physical consequences, including equipment damage or safety incidents.

Recommendations for Security Teams

INCIBE-CERT and Valmet have not yet released a patch, but organizations using the affected software should:

1. Restrict Network Access

   • Limit exposure of the DNA Engineering Web Tools interface to trusted networks only.
   • Implement firewall rules to block unauthorized access to the web interface port.

2. Monitor for Suspicious Activity

   • Deploy intrusion detection/prevention systems (IDS/IPS) to detect path traversal attempts.
   • Review logs for unusual access patterns to restricted directories.

3. Apply Defense-in-Depth Measures

   • Segment OT networks from corporate IT networks to contain potential breaches.
   • Enforce least-privilege access for users interacting with the system.

4. Prepare for Patching

   • Monitor Valmet’s official channels for a security update and apply it immediately upon release.
   • Test patches in a non-production environment before deployment to avoid operational disruptions.

Next Steps

INCIBE-CERT will update its advisory as more information becomes available, including a CVE identifier and patch details. Organizations relying on Valmet’s DNA Engineering Tools should treat this as a high-priority issue and implement mitigations until a fix is provided.

For further details, refer to the original advisory on INCIBE-CERT’s website.