Skip to main content

CVE-2025-50109

| EUVDEUVD-2025-21095 HIGH
Cleartext Storage of Sensitive Information in Memory (CWE-316)
2025-07-11 ics-cert@hq.dhs.gov
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 08:17 euvd
EUVD-2025-21095
Analysis Generated
Mar 16, 2026 - 08:17 vuln.today
CVE Published
Jul 11, 2025 - 00:15 nvd
HIGH 7.7

DescriptionCVE.org

Emerson ValveLink Products store sensitive information in cleartext within a resource that might be accessible to another control sphere.

AnalysisAI

CVE-2025-50109 affects Emerson ValveLink Products, which store sensitive information in cleartext within accessible resource locations, allowing local attackers without privileges to read confidential data. With a CVSS score of 7.7 and local attack vector, this vulnerability poses a significant confidentiality and integrity risk to industrial control system environments. The vulnerability's KEV status and actual exploitation likelihood should be confirmed with CISA and vendor advisories, as the high CVSS reflects substantial information exposure potential in proximity-based attack scenarios.

Technical ContextAI

This vulnerability stems from CWE-316 (Cleartext Storage of Sensitive Information in Memory), a fundamental flaw in secure coding practices where sensitive data—potentially including authentication credentials, configuration parameters, or operational secrets—is retained in unencrypted form within memory or file-based resources accessible to other processes or users on the same system. Emerson ValveLink Products are industrial automation solutions used in critical infrastructure for valve monitoring and control. The root cause is inadequate data protection mechanisms; instead of encrypting sensitive information at rest or using secure storage APIs, the application stores plaintext secrets in world-readable or group-readable locations. This is particularly dangerous in shared industrial environments where multiple control applications may run with overlapping privilege domains.

RemediationAI

Immediate actions: (1) Contact Emerson directly or check their security advisory portal (typically at emerson.com/security or support.emerson.com) for patch availability and version requirements. (2) Apply the latest security patch for ValveLink products as released by Emerson—patch availability and version numbers must be extracted from official vendor advisories (not provided in this synthesis). (3) Interim mitigations while patching: Restrict local system access via OS-level controls (file permissions, user groups); audit which users/processes have access to ValveLink configuration/data directories; implement host-based intrusion detection tuned to detect unauthorized file reads in sensitive directories; segment ICS networks to reduce lateral movement risk. (4) Long-term: Upgrade to patched versions; review deployment architecture to minimize shared resource access; implement secure credential storage using OS-provided secret management (e.g., credential vaults). Reference: Emerson Product Security Advisories (URL to be obtained from vendor); CISA ICS Alerts for ValveLink-specific guidance.

Share

CVE-2025-50109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy