PatchSiren cyber security CVE debrief
CVE-2025-46358 Emerson CVE debrief
CVE-2025-46358 is a high-severity vulnerability in Emerson ValveLink products where the software does not use, or incorrectly uses, a protection mechanism sufficient to defend against directed attacks. CISA’s advisory lists ValveLink SOLO, DTM, PRM, and SNAP-ON versions before 14.0 as affected and recommends updating to ValveLink 14.0 or later.
- Vendor
- Emerson
- Product
- ValveLink SOLO
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-08
- Original CVE updated
- 2025-07-08
- Advisory published
- 2025-07-08
- Advisory updated
- 2025-07-08
Who should care
Industrial control system operators, OT engineers, maintenance teams, and asset owners running Emerson ValveLink SOLO, DTM, PRM, or SNAP-ON below version 14.0 should prioritize this advisory. Security teams responsible for Windows-based engineering or diagnostic workstations used with Emerson valve management tools should also review exposure and update planning.
Technical summary
The CSAF advisory describes the issue generically as improper or missing use of a protection mechanism against directed attacks. The provided CVSS v3.1 vector is AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating local attack conditions with high confidentiality and integrity impact but no availability impact. The affected product set is limited to Emerson ValveLink SOLO, DTM, PRM, and SNAP-ON versions earlier than 14.0.
Defensive priority
High. The advisory is rated CVSS 7.7 HIGH, affects multiple ValveLink product lines, and has a clear vendor remediation path. Because the vector is local and does not require privileges or user interaction, teams should treat exposed engineering workstations and diagnostic systems as near-term patch candidates.
Recommended defensive actions
- Upgrade Emerson ValveLink software to version 14.0 or later as recommended by the vendor.
- Inventory all systems running ValveLink SOLO, DTM, PRM, and SNAP-ON and confirm whether any are below 14.0.
- Prioritize updates for OT/engineering workstations that interact with process control assets.
- Review access controls and workstation hardening in line with CISA ICS recommended practices while patching is planned or underway.
- Check Emerson security notifications for product-specific guidance and deployment considerations.
Evidence notes
Facts in this debrief are limited to the supplied CSAF advisory and listed official references. The advisory states the affected products and version boundary as Emerson ValveLink SOLO, DTM, PRM, and SNAP-ON: <ValveLink_14.0. The CVSS vector supplied in the advisory is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, and the remediation text states Emerson recommends updating to ValveLink 14.0 or later. No exploit details, campaign attribution, or KEV listing were present in the corpus.
Official resources
-
CVE-2025-46358 CVE record
CVE.org
-
CVE-2025-46358 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in the initial publication of ICSA-25-189-01 on 2025-07-08. No KEV listing was provided in the supplied corpus.