CVE-2025-27254: GE Vernova EnerVista Authentication Bypass

CVE-2025-27254 Overview

CVE-2025-27254 is an authentication bypass vulnerability in GE Vernova EnerVista UR Setup, an engineering configuration tool for Universal Relay (UR) protection devices. The flaw is categorized as [CWE-282] Improper Ownership Management. The application's startup authentication can be disabled by modifying a Windows registry value that any local user can write. An unauthenticated local user can therefore launch the application and access protected functionality without credentials.

Critical Impact

A local user with no privileges can bypass authentication in EnerVista UR Setup and gain operator-level access to engineer protection relays used in electrical substations.

Affected Products

• GE Vernova EnerVista UR Setup
• Universal Relay (UR) family configuration workflows
• Windows endpoints running the EnerVista UR Setup client

Discovery Timeline

• 2025-03-10 - CVE-2025-27254 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-27254

Vulnerability Analysis

EnerVista UR Setup enforces a login prompt at application startup. The decision to require authentication is governed by a setting stored in the Windows registry. The registry key holding this setting is created with permissions that allow any authenticated Windows user to modify it. An attacker flips the value to disable the startup login check. On the next launch, the application opens directly into its configuration interface without prompting for credentials.

Because EnerVista UR Setup is used to configure UR protection relays in substations, post-bypass access exposes device communication profiles, FlexLogic equations, and setpoints. The CVSS vector indicates local attack vector, low complexity, no privileges, no user interaction, with low confidentiality, high integrity, and high availability impact.

Root Cause

The root cause is improper ownership and access control on the registry artifact that gates authentication. Security-relevant configuration should be stored under a hive or key where only administrators or the application's service identity can write. EnerVista UR Setup instead trusts a value writable by any standard user, violating least-privilege design for an authentication control.

Attack Vector

Exploitation requires local access to a Windows host with EnerVista UR Setup installed. The attacker authenticates as any unprivileged Windows user, opens the Registry Editor or invokes reg.exe, and changes the value that toggles the application's startup authentication. The attacker then starts EnerVista UR Setup and operates the tool without supplying application credentials. No memory corruption, code injection, or elevation of Windows privilege is required.

No public proof-of-concept exploit code is referenced in the advisory. See the Nozomi Networks CVE-2025-27254 Advisory and the GE Vernova product download portal for vendor-specific technical details.

Detection Methods for CVE-2025-27254

Indicators of Compromise

• Modifications to EnerVista UR Setup registry values that control startup authentication by non-administrative user SIDs.
• Launches of URPC.exe or related EnerVista UR Setup binaries by user accounts that have never previously interacted with the application.
• Registry writes performed by reg.exe, regedit.exe, or PowerShell Set-ItemProperty targeting EnerVista keys outside scheduled maintenance windows.

Detection Strategies

• Enable Windows registry auditing on the EnerVista UR Setup configuration keys under HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER and forward Event ID 4657 to a central log platform.
• Correlate registry value changes with subsequent process starts of EnerVista UR Setup binaries within a short time window.
• Hunt for unexpected ACL or value modifications on engineering workstations that host substation tooling.

Monitoring Recommendations

• Inventory all hosts running EnerVista UR Setup and route their endpoint, process, and registry telemetry to a centralized analytics pipeline.
• Alert on first-time application launches per user-host pair for engineering tools in operational technology environments.
• Track outbound connections from EnerVista hosts to UR relay IP ranges and flag sessions originating from accounts not in the engineering role group.

How to Mitigate CVE-2025-27254

Immediate Actions Required

• Restrict interactive logon on EnerVista UR Setup hosts to a named group of substation engineers and remove general user access.
• Apply an ACL on the registry key governing startup authentication so that only Administrators and SYSTEM hold write permissions.
• Audit current registry values across all EnerVista UR Setup installations and reset any that have authentication disabled.

Patch Information

Consult GE Vernova for fixed versions of EnerVista UR Setup. Vendor downloads are available through the GE Vernova grid solutions portal. Coordinate any update with substation maintenance windows and confirm relay configurations after deployment.

Workarounds

• Host EnerVista UR Setup on dedicated, hardened engineering workstations isolated from the corporate network.
• Enforce application allowlisting so only approved users can launch EnerVista UR Setup binaries.
• Deploy registry-permission hardening through Group Policy to lock down the affected keys until the vendor patch is applied.
• Require multi-factor authentication for Windows logon on all hosts that run UR family engineering tools.

# Configuration example: tighten ACL on EnerVista registry path (run as Administrator)
reg.exe save "HKLM\SOFTWARE\GE Power Management\URPC" urpc-backup.hiv
# Replace permissions: allow Administrators and SYSTEM only
icacls.exe "%ProgramFiles(x86)%\GE Power Management\URPC" /inheritance:r /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"
# Enable auditing on the key for registry change events
auditpol.exe /set /subcategory:"Registry" /success:enable /failure:enable