CVE-2025-27257

Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware. The firmware signature verification is enforced only on the client-side dedicated software Enervista UR Setup, allowing the integration check to be bypassed.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.2

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.gevernova.com/grid-solutions/app/DownloadFile.aspx?prod=urfamily&type=21&file=76
https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27257

Configurations

No configuration.

History

12 Mar 2025, 12:15

Type	Values Removed	Values Added
References		() https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27257 -
Summary		(es) La vulnerabilidad de verificación insuficiente de la autenticidad de los datos en los dispositivos de la familia GE Vernova UR IED permite que un usuario autenticado instale un firmware modificado. La verificación de la firma del firmware se aplica únicamente en el software dedicado del lado del cliente Enervista UR Setup, lo que permite omitir la comprobación de integración.

10 Mar 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-10 09:15

Updated : 2025-03-12 12:15

NVD link : CVE-2025-27257

Mitre link : CVE-2025-27257

CVE.ORG link : CVE-2025-27257

JSON object : View

Products Affected

No product.

CWE

CWE-345

Insufficient Verification of Data Authenticity

6.1 /10