1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: Emerson
- Equipment: ValveLink Products
- Vulnerabilities: Cleartext Storage of Sensitive Information in Memory, Protection Mechanism Failure, Uncontrolled Search Path Element, Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker with access to the system to read sensitive information stored in cleartext, tamper with parameters, and run un-authorized code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following ValveLink products are affected:
- ValveLink SOLO: All versions prior to ValveLink 14.0
- ValveLink DTM: All versions prior to ValveLink 14.0
- ValveLink PRM: All versions prior to ValveLink 14.0
- ValveLink SNAP-ON: All versions prior to ValveLink 14.0
3.2 VULNERABILITY OVERVIEW
3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316
The product stores sensitive information in cleartext in memory. The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the product crashes, or if the programmer does not properly clear the memory before freeing it.
CVE-2025-52579 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).
A CVSS v4 score has also been calculated for CVE-2025-52579. A base score of 9.3 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories