CVE-2025-27253

An improper input validation in GE Vernova UR IED family devices from version 7.0 up to 8.60 allows an attacker to provide input that enstablishes a TCP connection through a port forwarding. The lack of the IP address and port validation may allow the attacker to bypass firewall rules or to send malicious traffic in the network

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://www.gevernova.com/grid-solutions/app/DownloadFile.aspx?prod=urfamily&type=21&file=76
https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27253

Configurations

No configuration.

History

12 Mar 2025, 11:15

Type	Values Removed	Values Added
Summary		(es) Una validación de entrada incorrecta en los dispositivos de la familia GE Vernova UR IED de la versión 7.0 a la 8.60 permite a un atacante proporcionar una entrada que establezca una conexión TCP a través de un reenvío de puerto. La falta de validación de la dirección IP y del puerto puede permitir al atacante eludir las reglas del firewall o enviar tráfico malicioso en la red.
References		() https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27253 -

10 Mar 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-10 09:15

Updated : 2025-03-12 11:15

NVD link : CVE-2025-27253

Mitre link : CVE-2025-27253

CVE.ORG link : CVE-2025-27253

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

6.1 /10