CVE-2025-27257 (GCVE-0-2025-27257)
Vulnerability from cvelistv5
Published
2025-03-10 09:05
Modified
2025-03-12 11:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Summary
Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware.
The firmware signature verification is enforced only on the client-side dedicated software Enervista UR Setup, allowing the integration check to be bypassed.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | GE Vernova | N60 multilin |
Version: 7.0 < |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T13:23:04.580273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T13:23:20.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "N60 multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "B30 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "B90 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "C30 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "C60 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "C70 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "C95 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "D30 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "D60 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "F35 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "F60 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "G30 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "G60 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "L30 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "L60 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "L90 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "M60 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "T35 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "T60 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "M60 Multilin",
"vendor": "GE Vernova",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware.\u003cbr\u003eThe firmware signature verification is enforced only on the client-side dedicated software Enervista UR Setup, a\u003cspan style=\"background-color: var(--wht);\"\u003ellowing the integration check to be bypassed.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware.\nThe firmware signature verification is enforced only on the client-side dedicated software Enervista UR Setup, allowing the integration check to be bypassed."
}
],
"impacts": [
{
"capecId": "CAPEC-638",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-638 Altered Component Firmware"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T11:10:57.902Z",
"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c",
"shortName": "Nozomi"
},
"references": [
{
"url": "https://www.gevernova.com/grid-solutions/app/DownloadFile.aspx?prod=urfamily\u0026type=21\u0026file=76"
},
{
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27257"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c",
"assignerShortName": "Nozomi",
"cveId": "CVE-2025-27257",
"datePublished": "2025-03-10T09:05:34.817Z",
"dateReserved": "2025-02-21T08:32:26.974Z",
"dateUpdated": "2025-03-12T11:10:57.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-27257\",\"sourceIdentifier\":\"prodsec@nozominetworks.com\",\"published\":\"2025-03-10T09:15:11.613\",\"lastModified\":\"2025-03-12T12:15:15.187\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware.\\nThe firmware signature verification is enforced only on the client-side dedicated software Enervista UR Setup, allowing the integration check to be bypassed.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de verificaci\u00f3n insuficiente de la autenticidad de los datos en los dispositivos de la familia GE Vernova UR IED permite que un usuario autenticado instale un firmware modificado. La verificaci\u00f3n de la firma del firmware se aplica \u00fanicamente en el software dedicado del lado del cliente Enervista UR Setup, lo que permite omitir la comprobaci\u00f3n de integraci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"prodsec@nozominetworks.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"prodsec@nozominetworks.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"references\":[{\"url\":\"https://www.gevernova.com/grid-solutions/app/DownloadFile.aspx?prod=urfamily\u0026type=21\u0026file=76\",\"source\":\"prodsec@nozominetworks.com\"},{\"url\":\"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27257\",\"source\":\"prodsec@nozominetworks.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27257\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T13:23:04.580273Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T13:23:13.911Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-638\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-638 Altered Component Firmware\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"GE Vernova\", \"product\": \"N60 multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"B30 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"B90 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"C30 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"C60 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"C70 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"C95 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"D30 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"D60 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"F35 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"F60 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"G30 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"G60 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"L30 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"L60 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"L90 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"M60 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"T35 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"T60 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"GE Vernova\", \"product\": \"M60 Multilin\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"8.60\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.gevernova.com/grid-solutions/app/DownloadFile.aspx?prod=urfamily\u0026type=21\u0026file=76\"}, {\"url\": \"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27257\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware.\\nThe firmware signature verification is enforced only on the client-side dedicated software Enervista UR Setup, allowing the integration check to be bypassed.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Insufficient Verification of Data Authenticity vulnerability in GE Vernova UR IED family devices allows an authenticated user to install a modified firmware.\u003cbr\u003eThe firmware signature verification is enforced only on the client-side dedicated software Enervista UR Setup, a\u003cspan style=\\\"background-color: var(--wht);\\\"\u003ellowing the integration check to be bypassed.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345 Insufficient Verification of Data Authenticity\"}]}], \"providerMetadata\": {\"orgId\": \"bec8025f-a851-46e5-b3a3-058e6b0aa23c\", \"shortName\": \"Nozomi\", \"dateUpdated\": \"2025-03-12T11:10:57.902Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-27257\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-12T11:10:57.902Z\", \"dateReserved\": \"2025-02-21T08:32:26.974Z\", \"assignerOrgId\": \"bec8025f-a851-46e5-b3a3-058e6b0aa23c\", \"datePublished\": \"2025-03-10T09:05:34.817Z\", \"assignerShortName\": \"Nozomi\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…