Firmware Modification Vulnerability in GE Vernova UR IED Devices
CVE-2025-27257

6.1MEDIUM

Key Information:

Vendor: Ge Vernova
Status: N60 Multilin; B30 Multilin; B90 Multilin; C30 Multilin
Vendor: CVE Published:; 10 March 2025

What is CVE-2025-27257?

A vulnerability in GE Vernova UR IED family devices permits authenticated users to install modified firmware due to inadequate verification of data authenticity. The existing firmware signature verification occurs solely on the client-side with Enervista UR Setup software, allowing potential bypass of the integration checks. This issue emphasizes the critical need for robust verification processes to ensure the integrity of firmware updates and safeguard against unauthorized modifications.

Affected Version(s)

B30 Multilin 7.0 <= 8.60

B90 Multilin 7.0 <= 8.60

C30 Multilin 7.0 <= 8.60

References

https://www.gevernova.com/grid-solutions/app/DownloadFile...

https://www.nozominetworks.com/labs/vulnerability-advisor...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2025
Vulnerability Reserved
Feb 21, 2025

Credit

Diego Giubertoni of Nozomi Networks found this bug during a security research activity.

Ge Vernova

What is CVE-2025-27257?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit