The File Read That Unlocks a Power Plant: CVE-2025-15577 and the OT Reconnaissance Problem

When many people think about industrial control system attacks, they picture dramatic scenarios: malware wiping hard drives, a saboteur reprogramming a PLC, a Stuxnet-style weapon silently accelerating centrifuges to destruction. Those attacks do happen, and they are catastrophic. But they share a prerequisite that rarely gets discussed — the attacker had to understand the target first. They had to know the architecture, the credentials, the process logic, the network layout. They had to read before they could own.

CVE-2025-15577, disclosed by CISA on February 19, 2026, is exactly that kind of vulnerability. It does not detonate anything. It does not crash a system or encrypt your files. What it does is hand an unauthenticated attacker a window directly into a live industrial control system — every configuration file, every stored credential, every network map that happens to live on the server's filesystem. In an OT environment, that is often enough to plan and execute an attack that causes real, physical harm.

Who Is Valmet and Why Should You Care About Their DCS

Valmet is not a household name in cybersecurity circles, but it is an enormous name in the physical world that cybersecurity is supposed to protect. The company traces its industrial roots to a state shipyard at the Viapori fortress outside Helsinki in the 1750s; the modern consolidated entity, Valtion Metallitehtaat — later renamed Valmet — was formally established in Finland in 1951. Today, Valmet has grown into one of the world's leading suppliers of process technologies and automation systems for the pulp, paper, and energy industries, employing approximately 17,000 professionals worldwide and reporting net sales of approximately EUR 5.4 billion in 2024.

At the heart of Valmet's automation offering is Valmet DNA, a Distributed Control System (DCS) platform that has been in deployment since 2008 and is used across pulp mills, paper machines, biomass power plants, waste-to-energy facilities, marine systems, and industrial process sites on multiple continents. Valmet DNA controls thousands of data points per installation — monitoring combustion, managing steam and gas turbine controllers, optimizing chemical recovery processes, and running integrated safety systems. In a Valmet DNA deployment at a waste-to-energy plant, for example, the control system handles everything from process stations to hardwired I/O signals numbering in the thousands.

This is not software managing spreadsheets. This is software managing fire, pressure, and chemical reactions at industrial scale. When the engineering web tools that support this system have a critical vulnerability, the downstream implications extend far beyond the server room.

What CVE-2025-15577 Actually Does — And How

The vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory, commonly known as a path traversal or directory traversal flaw. The affected component is Valmet DNA Engineering Web Tools, specifically the web maintenance service — a browser-accessible interface used by engineers and administrators to manage and configure the DNA system. All versions up to and including C2022 are vulnerable.

The mechanism is straightforward, which makes it both easy to exploit and embarrassingly avoidable in modern software. The web maintenance service accepts a URL parameter that specifies a file path. It does not adequately sanitize or validate that input against a restricted directory. An attacker can manipulate the path to traverse outside the intended directory using sequences like ../ or encoded variants, pointing the server at arbitrary files on the filesystem. The server then reads and returns those files — to anyone, with no authentication check whatsoever.

"An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access." — CISA ICS Advisory ICSA-26-050-02, February 19, 2026

The CVSS 4.0 score of 8.7 reflects the attack surface accurately. The exploitability metrics — network-accessible, low complexity, no prerequisites, no privileges required, no user interaction — are represented in the vector as AV:N/AC:L/AT:N/PR:N/UI:N. These translate directly: an unauthenticated attacker anywhere on a network can exploit this with a single crafted HTTP request. The vulnerability was assigned by NCSC-FI, Finland's national cybersecurity authority, and reported to Valmet by researcher Denis Samotuga. A fix has been issued by Valmet and customers should contact Valmet support to obtain it.

What makes this vulnerability particularly dangerous is not the sophistication of the exploit — it is the value of what gets returned. In a Valmet DNA environment, the files accessible through a path traversal could include engineering configuration files, network topology data stored in XML or similar formats, process variable definitions, authentication databases or credential files used by the DCS, Windows system files if the server runs a Windows OS (which many ICS systems do), and log files that reveal user activity and system architecture. Each of these file types represents a different category of intelligence that a sophisticated attacker can weaponize in the next phase of an attack.

Read-Before-You-Own: The OT Reconnaissance Kill Chain

In IT security, we talk extensively about the stages of an attack — initial access, execution, persistence, privilege escalation, lateral movement, and impact. In OT security, the ICS Cyber Kill Chain developed by Assante and Lee adds a layer that matters enormously: the attacker must develop a deep understanding of the physical process before they can manipulate it effectively. A ransomware group hitting an IT server does not need to understand how the server's software works to encrypt its files. An adversary targeting an industrial control system does need to understand the process — the control loops, the safety interlocks, the human-machine interface layout, the normal operating parameters — to cause a specific physical outcome.

This is the lens through which CVE-2025-15577 should be evaluated. It is not just a data exposure bug. It is stage one of a sophisticated attack chain against an industrial system.

"Adversaries targeting OT are progressing through the ICS Cyber Kill Chain at different speeds. Some focus on initial access, others have reached Stage 2. These threat groups conduct reconnaissance, development, and testing activities inside OT environments to understand control loops and position for future manipulation of industrial processes." — Dragos 2026 OT Cybersecurity Year in Review

Consider what an attacker who successfully exploits CVE-2025-15577 can learn from a Valmet DNA server's filesystem. Configuration files reveal the architecture of the control system: which process stations exist, how they communicate, what I/O they manage, and what engineering workstations are authorized to connect. Network configuration files show the IP addressing scheme of the OT network — the segmentation (or lack thereof) between safety systems, control systems, and the corporate network. Credential files or cached authentication data, if present, open doors to adjacent systems in the OT environment without any further exploitation. And stored process variable definitions or historian data show exactly how the controlled physical process is supposed to behave — giving an attacker a baseline against which they can eventually camouflage malicious commands.

The history of ICS attacks makes this sequence painfully concrete. The attackers behind the 2015 Ukrainian power grid attack used legitimate remote access tools and had deep knowledge of the ICS environment before they executed. Industroyer, the malware used in the 2016 follow-on attack, required its developers to understand specific industrial communication protocols — IEC 60870-5-101, IEC 60870-5-104, IEC 61850 — before it could meaningfully interact with substation switches and circuit breakers. Stuxnet required detailed knowledge of Siemens S7 PLC configurations and centrifuge operating parameters. In every case, reconnaissance preceded destruction.

CVE-2025-15577 is a reconnaissance tool that requires zero expertise to operate.

There is another dimension to consider: living-off-the-land tactics in OT environments. Security researchers and incident responders have increasingly documented a pattern where adversaries, once they understand the OT environment through reconnaissance, use legitimate engineering tools and credentials to interact with control systems — no malware required. When attackers understand the normal behavior of a Valmet DNA system from its own configuration files, they are equipped to issue plausible engineering commands that blend into the noise. Traditional anti-malware tools will see nothing suspicious because nothing suspicious is running. The attack surface becomes the system's own intended functionality.

"Adversaries often move from IT into OT using valid credentials, trusted remote access paths, or shared identity infrastructure. Once inside the ICS network, they can leverage standard engineering software, HMIs, scripting tools, and industrial protocols to interact directly with physical processes. No vulnerability, exploit, or custom malware is required." — SANS Institute, ICS/OT Security Research

The Patching Paradox: Why "Just Update It" Is Not an Answer

Valmet has issued a fix. That is the good news. The complicated news is that applying it is not as simple as clicking "install updates" on a laptop. OT patch management is genuinely one of the hardest problems in industrial cybersecurity, and understanding why matters as much as knowing the vulnerability exists.

Industrial control systems operate under availability constraints that have no IT equivalent. A paper mill does not pause production while engineers test a software update. A waste-to-energy plant running 24 hours a day cannot schedule a maintenance reboot the way an office workstation can. A biomass power plant connected to a regional grid faces regulatory and operational consequences if it drops offline unexpectedly. In these environments, patching often waits for scheduled maintenance windows — which may be months away. During that time, the vulnerability is known, public, and potentially being scanned for.

There are technical constraints compounding the operational ones. Many OT systems run on older versions of Windows or other operating systems where vendor-certified patch compatibility is not guaranteed. Applying a patch to a live control system without exhaustive testing in a mirrored sandbox environment risks introducing instability into a system where instability has physical consequences. OEMs like Valmet often deliver updates through coordinated support processes rather than automated distribution. Operators must manage relationships with vendors, verify configurations, validate against their specific deployment, and plan around plant operations — all before a single file is updated. As one OT security professional put it, patching in an OT environment "turns OT engineers into vendor relationship managers."

"There are no perfect choices — only risk-based decisions." — Mubarik Mustafa, Principal Consultant for OT/ICS Cybersecurity, ACET Solutions

Legacy system incompatibility adds another layer. Adobe Flash Player, which reached end-of-life in December 2020, is reportedly still present in operational OT networks today — more than four years after it became officially unsupported. Vulnerabilities in systems that cannot be patched do not disappear. They accumulate. In a Valmet DNA environment where the web tools version is locked due to hardware dependencies or certification requirements, the path traversal vulnerability may persist long after Valmet's fix is technically available. That is the reality operators face, and it demands compensating controls rather than a simple patch-and-move-on approach.

The broader picture is sobering. According to research from Bitsight, the number of exposed ICS/OT devices was estimated to reach 200,000 by the end of 2025, with the United States alone accounting for 80,000 exposed devices — and that number represented a 12% increase over the prior trend, reversing what had been a downward trajectory. The Dragos 2026 OT Cybersecurity Year in Review reported nearly 1,700 ransomware attacks successfully breaching industrial organizations in 2024, with roughly a quarter forcing full operational shutdowns and the remainder causing measurable disruption to industrial operations. CVE-2025-15577 exists inside this landscape, not outside it.

What Defenders Should Do Right Now

Given the gap that often exists between vulnerability disclosure and successful patch deployment in OT environments, compensating controls are not optional — they are the primary defense posture for many organizations during the window between knowing about this vulnerability and being able to close it.

The most important immediate action is network exposure assessment. Does the Valmet DNA Engineering Web Tools interface have any path to the internet — directly or through a series of hops? If it does, that path needs to be cut. CISA's advisory is explicit: control system devices should not be accessible from the internet. This sounds basic, but in practice, remote maintenance access, cloud-connected monitoring platforms, and IT-OT network convergence have quietly opened paths that plant managers may not be aware of. A thorough mapping exercise is necessary, not an assumption of isolation.

# Questions every OT security team should be asking right now:

Is Valmet DNA Web Tools version C2022 or earlier deployed in our environment?
Does any network path exist from an untrusted network to that interface?
Are firewall rules explicitly blocking external access to the DCS web interface?
Do we have a current, verified asset inventory of all OT components?
When is our next scheduled maintenance window for patch deployment?
Has our vendor support contract been activated to obtain the fix from Valmet?

Network segmentation aligned to the Purdue Model is the structural answer to this category of threat. The engineering workstation tier (Level 2) and the control server tier (Level 1-2) should be separated from the business network (Level 3-4) by a properly configured demilitarized zone with strictly defined communication rules. If the Valmet DNA web interface is reachable from the corporate network without traversing a controlled boundary, that boundary needs to be established or hardened immediately.

For remote access — which is often the vector that creates unexpected exposure in OT environments — VPNs with strong authentication are the minimum standard. But the VPN itself must be patched and monitored. A hardened VPN protecting a vulnerable DCS interface is a security control; a misconfigured or unpatched VPN protecting the same interface may be just another attack surface. Multi-factor authentication on all remote access paths into the OT environment is non-negotiable.

Web Application Firewalls or inline inspection capable of detecting path traversal patterns can serve as a compensating control for organizations where the patch cannot be applied immediately. Rules that block URL patterns containing ../, %2e%2e, and similar traversal sequences at the network boundary can reduce exploitability even when the vulnerable software itself remains in place. Note that double URL-encoded variants such as %252e%252e can bypass naive pattern-matching rules, so WAF configurations should account for multiple encoding layers. This is not a substitute for patching, but it meaningfully raises the cost of exploitation during the remediation window.

Logging and anomaly detection deserve specific attention. In an OT environment where normal traffic patterns are well-established, unusual HTTP requests to the Valmet DNA web interface — particularly requests with path manipulation patterns — should trigger alerts. Many OT environments lack the network monitoring visibility that would make this detection possible, which is a gap that security teams should be actively closing regardless of this specific CVE. OT-aware monitoring solutions that understand industrial protocols and can baseline normal engineering traffic patterns are the category of tool most relevant here.

Finally, patch testing and deployment planning should begin now, even if the actual deployment is weeks away. Identify the affected systems, obtain the fix from Valmet support, establish a test environment that mirrors the production configuration as closely as possible, and schedule deployment for the next available maintenance window. Document everything — both for internal security governance and for regulatory compliance purposes under standards such as NERC CIP (particularly CIP-007 for Systems Security Management and CIP-010 for Configuration Change Management and Vulnerability Management) and ISA/IEC 62443. Organizations that use the EPSS (Exploit Prediction Scoring System) alongside CVSS for prioritization should note that a zero-authentication, network-accessible file read vulnerability in a publicly disclosed industrial control system component historically attracts rapid scanning activity — EPSS scores for this class of vulnerability tend to rise quickly after public proof-of-concept activity. This vulnerability should be treated as high priority regardless of the current EPSS baseline.

Key Takeaways

1. CVE-2025-15577 is a reconnaissance weapon first: The primary danger of an unauthenticated file read in a DCS environment is not what it destroys — it is what it reveals. Configuration data, credentials, and network architecture exposed through this vulnerability give sophisticated attackers the intelligence needed to plan a targeted physical attack on the industrial process the DCS controls.
2. Valmet DNA is deeply embedded in critical infrastructure: This platform controls real physical processes in energy, pulp, paper, and industrial sectors globally. The attack surface is not hypothetical — it is operational systems managing fire, pressure, chemical processes, and power generation across multiple continents.
3. Patching is necessary but will not happen immediately for many operators: OT patch management operates on fundamentally different timelines and constraints than IT. Organizations should assume a remediation gap and implement compensating controls — network isolation, firewall rules, web traffic inspection, and anomaly detection — as the primary defensive posture until the patch can be validated and deployed.
4. No known exploitation does not mean no risk: The public disclosure of a path traversal vulnerability with a CVSS score of 8.7 and zero authentication requirements is a reliable predictor of near-term scanning activity. The clock starts at disclosure, not at first confirmed exploitation.
5. Visibility into your OT network is a prerequisite for all of this: Organizations that do not have a current asset inventory, network map, and traffic baseline cannot assess their exposure, detect exploitation attempts, or plan an effective patch rollout. If this vulnerability surfaces a gap in your OT visibility, fixing that gap is the most durable security investment you can make.

The history of ICS attacks teaches a consistent lesson: the most dangerous moment in an industrial system compromise is not when something explodes. It is the quiet period before, when an adversary is reading files, mapping networks, and learning how the process works. CVE-2025-15577 turns that quiet reconnaissance period into a zero-barrier, no-credentials-required capability. Defenders who understand that are in a far better position to respond than those waiting to see what the vulnerability eventually enables.

Valmet has built systems that have managed industrial processes for decades and across the world. The fix exists. The question now is whether the organizations that depend on those systems can close the gap between knowing about this vulnerability and eliminating it — before someone else closes it for them.