CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-0416: Valmet DNA Local privilege escalation through insecure DCOM configuration

8.9 CVSS

Description

Local privilege escalation through insecure DCOM configuration in Valmet DNA versions prior to C2023. The DCOM object Valmet DNA Engineering has permissions that allow it to run commands as a user with the SeImpersonatePrivilege privilege. The SeImpersonatePrivilege privilege is a Windows permission that allows a process to impersonate another user. An attacker can use this vulnerability to escalate their privileges and take complete control of the system.

Classification

CVE ID: CVE-2025-0416

CVSS Base Severity: HIGH

CVSS Base Score: 8.9

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:H/U:Amber

Problem Types

CWE-269 Improper Privilege Management

Affected Products

Vendor: Valmet

Product: Valmet DNA

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 4.43% (scored less or equal to compared to others)

EPSS Date: 2025-04-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0416
https://www.valmet.com/about-us/about/research-and-development/vulnerabilityadvisories/cve-2025-0416/

Timeline

2025-04-01 05:40:15 UTC
CVE

Valmet DNA Local privilege escalation through insecure DCOM configuration