Valmet DNA Lack of protection against brute force attacks

CVE-2025-0417

Summary An arbitrary number of login attempts can be made via the Valmet DNA operator user interface without the user being blocked. 
Impact The possibility to make an arbitrary number of login attempts without any rate limit gives an attacker an increased chance of guessing passwords and then performing switching operations.
Issue date March 31, 2025
Affects All Valmet DNA Operate versions.
CVE Name https://nvd.nist.gov/vuln/detail/CVE-2025-0417
CVS Details CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Green
CVSS Score 7.0
Solution The new version is available from Valmet Automation Customer Service.
Mitigations A properly configured firewall helps to prevent unauthorized access from untrusted networks to the system. The availability to operate should always be evaluated according industry best practices. 
Acknowledgements
Sixtus Leonhardsberger and Felix Eberstaller of LimesSecurity