CVE-2025-27257

Summary

Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware. The firmware signature verification is enforced only on the client-side dedicated software Enervista UR Setup, allowing the integration check to be bypassed.

Affected Software

VendorProductVersion RangeStatus
GE VernovaN60 multilin7.0 <= 8.60affected
GE VernovaB30 Multilin7.0 <= 8.60affected
GE VernovaB90 Multilin7.0 <= 8.60affected
GE VernovaC30 Multilin7.0 <= 8.60affected
GE VernovaC60 Multilin7.0 <= 8.60affected
GE VernovaC70 Multilin7.0 <= 8.60affected
GE VernovaC95 Multilin7.0 <= 8.60affected
GE VernovaD30 Multilin7.0 <= 8.60affected
GE VernovaD60 Multilin7.0 <= 8.60affected
GE VernovaF35 Multilin7.0 <= 8.60affected
GE VernovaF60 Multilin7.0 <= 8.60affected
GE VernovaG30 Multilin7.0 <= 8.60affected
GE VernovaG60 Multilin7.0 <= 8.60affected
GE VernovaL30 Multilin7.0 <= 8.60affected
GE VernovaL60 Multilin7.0 <= 8.60affected
GE VernovaL90 Multilin7.0 <= 8.60affected
GE VernovaM60 Multilin7.0 <= 8.60affected
GE VernovaT35 Multilin7.0 <= 8.60affected
GE VernovaT60 Multilin7.0 <= 8.60affected
GE VernovaM60 Multilin7.0 <= 8.60affected

Weaknesses

  • CWE-345: CWE-345 Insufficient Verification of Data Authenticity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References