PT-2025-14022 · Valmet · Valmet Dna
Published
2025-04-01
·
Updated
2025-04-01
·
CVE-2025-0416
CVSS v4.0
8.9
High
| Vector | AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:H/U:Amber |
Name of the Vulnerable Software and Affected Versions
Valmet DNA versions prior to C2023
Description
The issue concerns an insecure DCOM configuration in Valmet DNA, specifically with the DCOM object Valmet DNA Engineering. This object has permissions that allow it to run commands as a user with the SeImpersonatePrivilege privilege, a Windows permission enabling a process to impersonate another user. An attacker can exploit this to escalate privileges and gain complete control of the system.
Recommendations
For Valmet DNA versions prior to C2023, update to version C2023 or later to resolve the issue. As a temporary workaround, consider restricting the permissions of the Valmet DNA Engineering DCOM object to prevent unauthorized users from exploiting the SeImpersonatePrivilege privilege.
Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Valmet Dna