The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday disclosed multiple hardware vulnerabilities in Emerson’s ValveLink products. The flaws include cleartext storage of sensitive data in memory, protection mechanism failure, uncontrolled search path elements, and improper input validation. All versions of Emerson’s ValveLink SOLO, DTM, PRM, and SNAP-ON released before version 14.0 are affected by the vulnerabilities.
“Successful exploitation of these vulnerabilities could allow an attacker with access to the system to read sensitive information stored in cleartext, tamper with parameters, and run un-authorized code,” CISA detailed in its advisory.
Emerson reported these vulnerabilities to CISA.
The agency noted that the ValveLink product stores sensitive information in cleartext in memory. The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the product crashes or if the programmer does not properly clear the memory before freeing it. CVE-2025-52579 has been assigned to the vulnerability. It carries a CVSS v3 base score of 9.4 and a CVSS v4 base score of 9.3, indicating critical severity.
The ValveLink product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. CVE-2025-50109 has been assigned to the vulnerability, with a CVSS v3 base score of 7.7 and a CVSS v4 base score of 8.5, reflecting high severity.
Deployed in the global critical manufacturing sector, the ValveLink product does not use or incorrectly use a protection mechanism that provides sufficient defense against directed attacks against the product. CVE-2025-46358 has been assigned to this vulnerability. It has a CVSS v3 base score of 7.7 and a CVSS v4 base score of 8.5, indicating a high-severity risk.
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. CVE-2025-48496 has been assigned to the vulnerability, with a CVSS v3 base score of 5.1 and a CVSS v4 base score of 5.9, indicating medium severity.
The ValveLink product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. CVE-2025-53471 has been assigned to the vulnerability, with a CVSS v3 base score of 5.1 and a CVSS v4 base score of 5.9, reflecting medium severity.
Emerson recommends users update their ValveLink software to ValveLink 14.0 or later.
CISA urges organizations to take defensive steps to reduce the risk of exploitation. This includes limiting network exposure by ensuring control systems are not accessible from the Internet, placing control system networks and remote devices behind firewalls, and isolating them from business networks.
For remote access, CISA recommends using secure methods such as Virtual Private Networks (VPNs), while noting that VPNs themselves may have vulnerabilities and must be kept up to date. The agency also emphasizes that a VPN is only as secure as the devices connected to it. Organizations are advised to conduct thorough impact analysis and risk assessments before implementing any defensive measures.
