CVE-2025-27255
Published: 10 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-27255, published on 2025-03-10, is a Use of Hard-coded Credentials vulnerability (CWE-798) in GE Vernova's EnerVista UR Setup software. The issue allows privilege escalation because the local user database is encrypted using a hardcoded password that an attacker can retrieve by analyzing the application code. It carries a CVSS v3.1 base score of 8.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), reflecting high severity due to low attack complexity, no required privileges, and significant impacts on integrity and availability.
An attacker with local access to the affected system can exploit this vulnerability without needing user privileges or interaction. By examining the application code, the attacker retrieves the hardcoded password, decrypts the local user database, and escalates privileges. This results in low confidentiality impact but high integrity and availability disruption.
Advisories from GE Vernova (https://www.gevernova.com/grid-solutions/app/DownloadFile.aspx?prod=urfamily&type=21&file=76) and Nozomi Networks (https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27255) provide details on mitigation and patches for this vulnerability.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability directly enables local privilege escalation by allowing retrieval of the hardcoded encryption key via code analysis to decrypt the user database and gain higher privileges.