CVE-2025-55678

CriticalWeaponized

GE Vernova UR Relay Firmware Tampering

ACTIVELY EXPLOITED IN THE WILD

APT-RELATED

CRITICAL INFRASTRUCTURE

9.6

CVSS v3.1 Base Score

Critical severity — Immediate action required

AV: Network AC: MediumAuth: None

GE Vernova UR-series protection relays do not verify firmware authenticity during upload. An attacker can replace relay firmware with modified versions that alter protection settings. In power grid environments, this can lead to equipment damage, blackouts, or cascading failures. This CVE is linked to XENOTIME TTPs targeting energy infrastructure.

Status

Weaponized

Complexity

Medium

Auth Required

Initial Access

UR relay management interface (TCP/23, TCP/80, Serial)

Threat Actors / APT Groups

XENOTIMESANDWORM

Known Techniques

Firmware upload via Telnet management interface without signature validation
Modified firmware that alters overcurrent protection thresholds
Persistent backdoor embedded in relay firmware update package

Published:2025-02-08

Modified:2025-02-12

Vendor:GE Vernova

CWE:CWE-345

Insufficient Verification of Data Authenticity

Risk Summary

Overall RiskCritical

ExploitationWeaponized

DetectionMedium coverage

Detection Rate82%

Rules Available1

CVE-2025-55678

GE Vernova UR Relay Firmware Tampering

CVSS v3.1 Base Score

Executive Summary

Exploitation Context

Technical Vulnerability Breakdown

Full Description

Detection & Rule Intelligence (1 rules)

Rule Effectiveness & Testing Results

OT Risk Assessment

Mitigation & Response Guidance

Recommendations & Tuning Notes

Affected Products

References