Cyber Resilience

CVE-2025-27255

High

Published: 10 March 2025

Published
10 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0004 12.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27255 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Gevernova (inferred from references). Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27255, published on 2025-03-10, is a Use of Hard-coded Credentials vulnerability (CWE-798) in GE Vernova's EnerVista UR Setup software. The issue allows privilege escalation because the local user database is encrypted using a hardcoded password that an attacker can retrieve by analyzing the application code. It carries a CVSS v3.1 base score of 8.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H), reflecting high severity due to low attack complexity, no required privileges, and significant impacts on integrity and availability.

An attacker with local access to the affected system can exploit this vulnerability without needing user privileges or interaction. By examining the application code, the attacker retrieves the hardcoded password, decrypts the local user database, and escalates privileges. This results in low confidentiality impact but high integrity and availability disruption.

Advisories from GE Vernova (https://www.gevernova.com/grid-solutions/app/DownloadFile.aspx?prod=urfamily&type=21&file=76) and Nozomi Networks (https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27255) provide details on mitigation and patches for this vulnerability.

EU & UK References

Vulnerability details

Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability directly enables local privilege escalation by allowing retrieval of the hardcoded encryption key via code analysis to decrypt the user database and gain higher privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-49551Shared CWE-798
CVE-2024-53356Shared CWE-798
CVE-2025-33222Shared CWE-798
CVE-2026-28776Shared CWE-798
CVE-2026-28778Shared CWE-798
CVE-2024-53357Shared CWE-798
CVE-2026-23781Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2025-59091Shared CWE-798
CVE-2025-30122Shared CWE-798

Affected Assets

Gevernova
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, testing, and correction of system flaws, directly mitigating this CVE via vendor-provided patches that eliminate the hardcoded credential.

prevent

IA-5 mandates protection of authenticators from unauthorized disclosure and modification while prohibiting default or easily retrievable credentials, preventing the hardcoded password used to encrypt the local user database.

detect

RA-5 requires vulnerability scanning to identify issues like this hardcoded credential vulnerability, enabling detection and prioritization for remediation.

References